Vulnerability Details CVE-2026-28755
NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 2.8%
CVSS Severity
CVSS v3 Score 5.4
Products affected by CVE-2026-28755
-
cpe:2.3:a:f5:nginx_open_source:0.5.13
-
cpe:2.3:a:f5:nginx_open_source:0.5.14
-
cpe:2.3:a:f5:nginx_open_source:0.5.15
-
cpe:2.3:a:f5:nginx_open_source:0.5.16
-
cpe:2.3:a:f5:nginx_open_source:0.5.17
-
cpe:2.3:a:f5:nginx_open_source:0.5.18
-
cpe:2.3:a:f5:nginx_open_source:0.5.19
-
cpe:2.3:a:f5:nginx_open_source:0.5.20
-
cpe:2.3:a:f5:nginx_open_source:0.5.21
-
cpe:2.3:a:f5:nginx_open_source:0.5.22
-
cpe:2.3:a:f5:nginx_open_source:0.5.23
-
cpe:2.3:a:f5:nginx_open_source:0.5.24
-
cpe:2.3:a:f5:nginx_open_source:0.5.25
-
cpe:2.3:a:f5:nginx_open_source:0.6.0
-
cpe:2.3:a:f5:nginx_open_source:0.6.1
-
cpe:2.3:a:f5:nginx_open_source:0.6.10
-
cpe:2.3:a:f5:nginx_open_source:0.6.11
-
cpe:2.3:a:f5:nginx_open_source:0.6.12
-
cpe:2.3:a:f5:nginx_open_source:0.6.13
-
cpe:2.3:a:f5:nginx_open_source:0.6.14
-
cpe:2.3:a:f5:nginx_open_source:0.6.15
-
cpe:2.3:a:f5:nginx_open_source:0.6.16
-
cpe:2.3:a:f5:nginx_open_source:0.6.17
-
cpe:2.3:a:f5:nginx_open_source:0.6.18
-
cpe:2.3:a:f5:nginx_open_source:0.6.19
-
cpe:2.3:a:f5:nginx_open_source:0.6.2
-
cpe:2.3:a:f5:nginx_open_source:0.6.20
-
cpe:2.3:a:f5:nginx_open_source:0.6.21
-
cpe:2.3:a:f5:nginx_open_source:0.6.22
-
cpe:2.3:a:f5:nginx_open_source:0.6.23
-
cpe:2.3:a:f5:nginx_open_source:0.6.24
-
cpe:2.3:a:f5:nginx_open_source:0.6.25
-
cpe:2.3:a:f5:nginx_open_source:0.6.26
-
cpe:2.3:a:f5:nginx_open_source:0.6.27
-
cpe:2.3:a:f5:nginx_open_source:0.6.28
-
cpe:2.3:a:f5:nginx_open_source:0.6.29
-
cpe:2.3:a:f5:nginx_open_source:0.6.3
-
cpe:2.3:a:f5:nginx_open_source:0.6.30
-
cpe:2.3:a:f5:nginx_open_source:0.6.31
-
cpe:2.3:a:f5:nginx_open_source:0.6.4
-
cpe:2.3:a:f5:nginx_open_source:0.6.5
-
cpe:2.3:a:f5:nginx_open_source:0.6.6
-
cpe:2.3:a:f5:nginx_open_source:0.6.7
-
cpe:2.3:a:f5:nginx_open_source:0.6.8
-
cpe:2.3:a:f5:nginx_open_source:0.6.9
-
cpe:2.3:a:f5:nginx_open_source:0.7.0
-
cpe:2.3:a:f5:nginx_open_source:0.7.1
-
cpe:2.3:a:f5:nginx_open_source:0.7.10
-
cpe:2.3:a:f5:nginx_open_source:0.7.11
-
cpe:2.3:a:f5:nginx_open_source:0.7.12
-
cpe:2.3:a:f5:nginx_open_source:0.7.13
-
cpe:2.3:a:f5:nginx_open_source:0.7.14
-
cpe:2.3:a:f5:nginx_open_source:0.7.15
-
cpe:2.3:a:f5:nginx_open_source:0.7.16
-
cpe:2.3:a:f5:nginx_open_source:0.7.17
-
cpe:2.3:a:f5:nginx_open_source:0.7.18
-
cpe:2.3:a:f5:nginx_open_source:0.7.19
-
cpe:2.3:a:f5:nginx_open_source:0.7.2
-
cpe:2.3:a:f5:nginx_open_source:0.7.20
-
cpe:2.3:a:f5:nginx_open_source:0.7.21
-
cpe:2.3:a:f5:nginx_open_source:0.7.22
-
cpe:2.3:a:f5:nginx_open_source:0.7.23
-
cpe:2.3:a:f5:nginx_open_source:0.7.24
-
cpe:2.3:a:f5:nginx_open_source:0.7.25
-
cpe:2.3:a:f5:nginx_open_source:0.7.26
-
cpe:2.3:a:f5:nginx_open_source:0.7.27
-
cpe:2.3:a:f5:nginx_open_source:0.7.28
-
cpe:2.3:a:f5:nginx_open_source:0.7.29
-
cpe:2.3:a:f5:nginx_open_source:0.7.3
-
cpe:2.3:a:f5:nginx_open_source:0.7.30
-
cpe:2.3:a:f5:nginx_open_source:0.7.31
-
cpe:2.3:a:f5:nginx_open_source:0.7.32
-
cpe:2.3:a:f5:nginx_open_source:0.7.33
-
cpe:2.3:a:f5:nginx_open_source:0.7.34
-
cpe:2.3:a:f5:nginx_open_source:0.7.35
-
cpe:2.3:a:f5:nginx_open_source:0.7.36
-
cpe:2.3:a:f5:nginx_open_source:0.7.37
-
cpe:2.3:a:f5:nginx_open_source:0.7.38
-
cpe:2.3:a:f5:nginx_open_source:0.7.39
-
cpe:2.3:a:f5:nginx_open_source:0.7.4
-
cpe:2.3:a:f5:nginx_open_source:0.7.40
-
cpe:2.3:a:f5:nginx_open_source:0.7.41
-
cpe:2.3:a:f5:nginx_open_source:0.7.42
-
cpe:2.3:a:f5:nginx_open_source:0.7.43
-
cpe:2.3:a:f5:nginx_open_source:0.7.44
-
cpe:2.3:a:f5:nginx_open_source:0.7.45
-
cpe:2.3:a:f5:nginx_open_source:0.7.46
-
cpe:2.3:a:f5:nginx_open_source:0.7.47
-
cpe:2.3:a:f5:nginx_open_source:0.7.48
-
cpe:2.3:a:f5:nginx_open_source:0.7.49
-
cpe:2.3:a:f5:nginx_open_source:0.7.5
-
cpe:2.3:a:f5:nginx_open_source:0.7.50
-
cpe:2.3:a:f5:nginx_open_source:0.7.51
-
cpe:2.3:a:f5:nginx_open_source:0.7.52
-
cpe:2.3:a:f5:nginx_open_source:0.7.53
-
cpe:2.3:a:f5:nginx_open_source:0.7.54
-
cpe:2.3:a:f5:nginx_open_source:0.7.55
-
cpe:2.3:a:f5:nginx_open_source:0.7.56
-
cpe:2.3:a:f5:nginx_open_source:0.7.57
-
cpe:2.3:a:f5:nginx_open_source:0.7.58
-
cpe:2.3:a:f5:nginx_open_source:0.7.59
-
cpe:2.3:a:f5:nginx_open_source:0.7.6
-
cpe:2.3:a:f5:nginx_open_source:0.7.7
-
cpe:2.3:a:f5:nginx_open_source:0.7.8
-
cpe:2.3:a:f5:nginx_open_source:0.7.9
-
cpe:2.3:a:f5:nginx_open_source:0.8.0
-
cpe:2.3:a:f5:nginx_open_source:0.8.1
-
cpe:2.3:a:f5:nginx_open_source:0.8.10
-
cpe:2.3:a:f5:nginx_open_source:0.8.11
-
cpe:2.3:a:f5:nginx_open_source:0.8.12
-
cpe:2.3:a:f5:nginx_open_source:0.8.13
-
cpe:2.3:a:f5:nginx_open_source:0.8.14
-
cpe:2.3:a:f5:nginx_open_source:0.8.15
-
cpe:2.3:a:f5:nginx_open_source:0.8.16
-
cpe:2.3:a:f5:nginx_open_source:0.8.17
-
cpe:2.3:a:f5:nginx_open_source:0.8.18
-
cpe:2.3:a:f5:nginx_open_source:0.8.19
-
cpe:2.3:a:f5:nginx_open_source:0.8.2
-
cpe:2.3:a:f5:nginx_open_source:0.8.20
-
cpe:2.3:a:f5:nginx_open_source:0.8.21
-
cpe:2.3:a:f5:nginx_open_source:0.8.22
-
cpe:2.3:a:f5:nginx_open_source:0.8.23
-
cpe:2.3:a:f5:nginx_open_source:0.8.24
-
cpe:2.3:a:f5:nginx_open_source:0.8.25
-
cpe:2.3:a:f5:nginx_open_source:0.8.26
-
cpe:2.3:a:f5:nginx_open_source:0.8.27
-
cpe:2.3:a:f5:nginx_open_source:0.8.28
-
cpe:2.3:a:f5:nginx_open_source:0.8.29
-
cpe:2.3:a:f5:nginx_open_source:0.8.3
-
cpe:2.3:a:f5:nginx_open_source:0.8.30
-
cpe:2.3:a:f5:nginx_open_source:0.8.31
-
cpe:2.3:a:f5:nginx_open_source:0.8.32
-
cpe:2.3:a:f5:nginx_open_source:0.8.33
-
cpe:2.3:a:f5:nginx_open_source:0.8.34
-
cpe:2.3:a:f5:nginx_open_source:0.8.35
-
cpe:2.3:a:f5:nginx_open_source:0.8.36
-
cpe:2.3:a:f5:nginx_open_source:0.8.37
-
cpe:2.3:a:f5:nginx_open_source:0.8.38
-
cpe:2.3:a:f5:nginx_open_source:0.8.39
-
cpe:2.3:a:f5:nginx_open_source:0.8.4
-
cpe:2.3:a:f5:nginx_open_source:0.8.40
-
cpe:2.3:a:f5:nginx_open_source:0.8.41
-
cpe:2.3:a:f5:nginx_open_source:0.8.42
-
cpe:2.3:a:f5:nginx_open_source:0.8.43
-
cpe:2.3:a:f5:nginx_open_source:0.8.44
-
cpe:2.3:a:f5:nginx_open_source:0.8.45
-
cpe:2.3:a:f5:nginx_open_source:0.8.46
-
cpe:2.3:a:f5:nginx_open_source:0.8.47
-
cpe:2.3:a:f5:nginx_open_source:0.8.48
-
cpe:2.3:a:f5:nginx_open_source:0.8.49
-
cpe:2.3:a:f5:nginx_open_source:0.8.5
-
cpe:2.3:a:f5:nginx_open_source:0.8.50
-
cpe:2.3:a:f5:nginx_open_source:0.8.51
-
cpe:2.3:a:f5:nginx_open_source:0.8.52
-
cpe:2.3:a:f5:nginx_open_source:0.8.53
-
cpe:2.3:a:f5:nginx_open_source:0.8.6
-
cpe:2.3:a:f5:nginx_open_source:0.8.7
-
cpe:2.3:a:f5:nginx_open_source:0.8.8
-
cpe:2.3:a:f5:nginx_open_source:0.8.9
-
cpe:2.3:a:f5:nginx_open_source:0.9.0
-
cpe:2.3:a:f5:nginx_open_source:0.9.1
-
cpe:2.3:a:f5:nginx_open_source:0.9.2
-
cpe:2.3:a:f5:nginx_open_source:0.9.3
-
cpe:2.3:a:f5:nginx_open_source:0.9.4
-
cpe:2.3:a:f5:nginx_open_source:0.9.5
-
cpe:2.3:a:f5:nginx_open_source:0.9.6
-
cpe:2.3:a:f5:nginx_open_source:0.9.7
-
cpe:2.3:a:f5:nginx_open_source:1.27.2
-
cpe:2.3:a:f5:nginx_open_source:1.27.3
-
cpe:2.3:a:f5:nginx_open_source:1.27.4
-
cpe:2.3:a:f5:nginx_open_source:1.27.5
-
cpe:2.3:a:f5:nginx_open_source:1.28.2
-
cpe:2.3:a:f5:nginx_open_source:1.29.0
-
cpe:2.3:a:f5:nginx_open_source:1.29.1
-
cpe:2.3:a:f5:nginx_open_source:1.29.2
-
cpe:2.3:a:f5:nginx_open_source:1.29.3
-
cpe:2.3:a:f5:nginx_open_source:1.29.4
-
cpe:2.3:a:f5:nginx_open_source:1.29.5
-
cpe:2.3:a:f5:nginx_open_source:1.29.6
-
cpe:2.3:a:f5:nginx_plus:r33
-
cpe:2.3:a:f5:nginx_plus:r34
-
cpe:2.3:a:f5:nginx_plus:r35
-
cpe:2.3:a:f5:nginx_plus:r36