A new security pupdate, Nginx 1.29.5, has been released to fix a critical SSL upstream injection bug (CVE-2026-1642) that could allow attackers to bypass host-based access controls and expose internal data to the internet. This vulnerability affects Nginx instances with SSL termination and is particularly relevant for public-facing servers using TLS. The patch adds proper logging and tightens read-before-write logic to prevent the attack, but users should still upgrade their Nginx version as soon as possible to ensure security. Nginx 1.28.2 has also been released with the same fix for earlier versions of Nginx 1.28.

Nginx 1.29.5 security fix: why you should upgrade right now

If you’re still running an older 1.28/1.29 build, the new 1.29.5 (and its sibling 1.28.2) drops a nasty SSL upstream injection bug (CVE‑2026‑1642). 

What CVE‑2026‑1642 really means

The flaw lives in Nginx’s handling of TLS “ech_required” alerts. An attacker who can inject arbitrary data into the TLS stream could force the server to treat downstream traffic as if it came from a trusted upstream, effectively bypassing any host‑based access controls you’ve set up.

The fix in 1.29.5 adds proper logging for that alert and tightens the read‑before‑write logic so the server refuses to forward anything until it’s sure the TLS handshake completed cleanly.

Do you need to upgrade?

If you run any public‑facing Nginx instance (including the Windows builds) and you use SSL termination, you’re in the line of fire. The bug doesn’t affect plain HTTP, but most sites terminate TLS at Nginx these days, so it’s a pretty common scenario. Better safe than sorry.

Full changelog for 1.29.5:

• Fixed duplicate ids in the bug report template. by @bavshin-f5 in #1035
• SSL: logging level of the "ech_required" TLS alert. by @arut in #1038
• Win32: fixed C4319 warning with MSVC x86. by @bavshin-f5 in #1057
• Add a HTTP_HOST parameter to default_params. by @ac000 in #1031
• Year 2026. by @pluknet in #1076
• Range filter: reasonable limit on multiple ranges. by @pluknet in #1075
• Misc: moved documentation in generated ZIP archive. by @pluknet in #1078
• Docs: Clarify -t option behavior in nginx man page by @uhliarik in #1089
• Proxy v2 request body fixes. by @pluknet in #1058
• Updated OpenSSL and PCRE used for win32 builds. by @arut in #1111
• Upstream read before write. by @arut in #1112
• nginx-1.29.5-RELEASE by @arut in #1113

That’s it – upgrade, verify, and get back to serving traffic without worrying about a hidden TLS bypass.

For download links, check out the GitHub annoucement below:

Release Nginx release-1.29.5

nginx-1.29.5 mainline version has been released. This release includes a security fix for the SSL upstream injection vulnerability (CVE-2026-1642). See official CHANGES on nginx.org.

Release release-1.29.5 · nginx/nginx

Release Nginx release-1.28.2

nginx-1.28.2 stable version has been released. This release includes a security fix for the SSL upstream injection vulnerability (CVE-2026-1642). See official CHANGES-1.28 on nginx.org.

Release release-1.28.2 · nginx/nginx