NGINX Plus Updates & Release Notes

Based on NGINX Open Source 1.29.8

NGINX Plus PLS.37.0.0.1 LTS is the first LTS release.

New release model: Long-Term Support (LTS) Releases and Continuous Releases (CR).

• Agentic observability module: real-time MCP traffic monitoring.
• NGINX control REST API that provides an HTTP interface for controlling an NGINX Plus instance in addition to signal-based control.
• JSON-formatted error logs: the json parameter of the error_log directive.
• Customer error log variables: the error_log_tag directive.
• Enhanced upstream latency metrics with latency histograms: the response_time_hist data for each HTTP upstream.
• Basic authentication for HTTP CONNECT forward proxy.
• Encrypted Client Hello (ECH) support: the ssl_ech_file directive.
• Multipath TCP support: the multipath parameter of the listen directive.
• The max_headers directive that sets the maximum allowed number of header lines in requests.
• HTTP2 to upstreams support.
• Default HTTP 1.1 version to upstreams with keepalive enabled by default.
• Support for OpenSSL 4.0.
• Enhancements in the ACME, OpenTelemetry Distributed Tracing and Prometheus-njs modules.
• Security fix in the ngx_http_rewrite_module module: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by the module, potentially resulting in arbitrary code execution (CVE-2026-42945).
• Security fix in the ngx_http_scgi_module and ngx_http_uwsgi_module modules: a heap memory buffer overread might occur in a worker process while handling a specially crafted response by these modules, allowing an attacker to cause a disclosure of worker process memory or segmentation fault in a worker process (CVE-2026-42946).
• Security fix in the ngx_http_charset_module module: a heap memory buffer overread might occur in a worker process while handling a specially crafted response with decoding from UTF-8 via the charset_map directive, allowing an attacker to cause a limited disclosure of worker process memory or segmentation fault in a worker process (CVE-2026-42934).
• Security fix for HTTP/3: when using HTTP/3, processing of connection migration might cause new QUIC streams to receive a new client address before validation, allowing an attacker to cause address spoofing (CVE-2026-40460).
• Security fix in the ngx_http_ssl_module module: when the ssl_verify_client directive is set to on or optional, and the ssl_ocsp directive is set to on or the leaf parameters are configured with a resolver, an unauthenticated attacker can send requests that, under conditions beyond the attacker’s control, might cause a heap-use-after-free error in a NGINX worker process, potentially resulting in limited modification of data or a worker process restart (CVE-2026-40701).

Based on NGINX Open Source 1.29.3

NGINX Plus R36 is a feature release:

• HTTP CONNECT forward proxy: the tunnel_module that handles CONNECT requests and establishes an end-to-end virtual connection.
• Native OIDC Support for PKCE, front-channel logout, and POST client authentication.
• ACME enhancements for certificate automation: support for ACME challenges and keys for external account authorization.
• The num_map module for http and stream that, similar to the map module, allows creating variables whose values depend on numeric values or numeric value ranges.
• The $upstream_last_addr variable that keeps the IP address of the last selected upstream server.
• The $request_port and $is_request_port variables.
• Enhancements in the proxy modules:
  • The proxy_allow_upstream directive and the denied parameter of proxy_next_upstream (also for FastCGI, gRPC, memcached, tunnel, SCGI, and uwsgi) that specifies the conditions under which access to the proxied server is allowed or denied.
  • The proxy_bind_dynamic directive (also for FastCGI, gRPC, memcached, tunnel, SCGI, and uwsgi) that makes the bind operation at each connection attempt.
  • the proxy_request_dynamic directive (also for FastCGI, gRPC, memcached, tunnel, SCGI, and uwsgi) that enables creation of a separate request instance for each proxied server instead of using a single request for all proxied servers.
• SSL/TLS enhancements:
  • TLS certificate compression with the ssl_certificate_compression directive for http, stream, and mail.
  • TLSv1.3 certificate compression is disabled by default.
  • The $ssl_sigalg and $ssl_client_sigalg variables that return the signature algorithm for the client or server certificate for an SSL connection.
  • support for 0-RTT in QUIC when using OpenSSL 3.5.1 or newer.
  • Support for OpenSSL 3.5.
• Inheritance control for headers and trailers.
• The volatile parameter of the geo directive, which indicates that the variable is not cacheable.
• Container images with popular modules, now including ACME, OpenTelemetry, and Prometheus exporter modules.

NGINX Plus R36 is supported on:

AlmaLinux 8.1+, 9, 10

Alpine Linux 3.20, 3.21, 3.22

Amazon Linux 2 LTS, 2023

Debian 11, 12, 13

FreeBSD 13.5+, 14.3+

Oracle Linux 8.1+, 9

RHEL 8.1+, 9, 10

Rocky Linux 8.1+, 9, 10

SUSE Linux Enterprise Server 15 SP6+, 16

Ubuntu 22.04 LTS, 24.04 LTS

Notes:

• Alpine Linux 3.19 is removed
• Alpine Linux 3.20 is deprecated
• Debian 13 is new in this release
• Rocky Linux 10 is new in this release
• SLES 16 is new in this release

This is a security release for NGINX Plus R36.

• Security fix in the ngx_http_rewrite_module module: a heap memory buffer overflow might occur in a worker process while handling a specially crafted request by the module, potentially resulting in arbitrary code execution (CVE-2026-42945).
• Security fix in the ngx_http_scgi_module and ngx_http_uwsgi_module modules: a heap memory buffer overread might occur in a worker process while handling a specially crafted response by these modules, allowing an attacker to cause a disclosure of worker process memory or segmentation fault in a worker process (CVE-2026-42946).
• Security fix in the ngx_http_charset_module module: a heap memory buffer overread might occur in a worker process while handling a specially crafted response with decoding from UTF-8 via the charset_map directive, allowing an attacker to cause a limited disclosure of worker process memory or segmentation fault in a worker process (CVE-2026-42934).
• Security fix for HTTP/3: when using HTTP/3, processing of connection migration might cause new QUIC streams to receive a new client address before validation, allowing an attacker to cause address spoofing (CVE-2026-40460).
• Security fix in the ngx_http_ssl_module module: when the ssl_verify_client directive is set to on or optional, and the ssl_ocsp directive is set to on or the leaf parameters are configured with a resolver, an unauthenticated attacker can send requests that, under conditions beyond the attacker’s control, might cause a heap-use-after-free error in a NGINX worker process, potentially resulting in limited modification of data or a worker process restart (CVE-2026-40701).

This is a security release for NGINX Plus R36.

• Security fix in the ngx_http_dav_module module: a buffer overflow might occur while handling a COPY or MOVE request in a location with alias, allowing an attacker to modify the source or destination path outside of the document root (CVE-2026-27654).

• Security fix in the ngx_http_mp4_module module: processing of a specially crafted mp4 file might cause a worker process crash, or might have potential other impact (CVE-2026-32647).

• Security fix in the ngx_mail_auth_http_module module: a segmentation fault might occur in a worker process if the CRAM-MD5 or APOP authentication methods were used and authentication retry was enabled (CVE-2026-27651).

• Security fix in the ngx_mail_smtp_module module: an attacker might use PTR DNS records to inject data in auth_http requests, as well as in the XCLIENT command in the backend SMTP connection (CVE-2026-28753).

• Security fix in the ngx_stream_ssl_module module: SSL handshake might succeed despite OCSP rejecting a client certificate (CVE-2026-28755).

Based on NGINX Open Source 1.29.0

NGINX Plus R35 is a feature release:

• Automated Certificate Management Environment (ACME) protocol support.
• Automatic renewal of NGINX Plus license.
  FCP subscription renewals require manual JWT updates
  If your subscription was renewed under the Flexible Consumption Program (FCP), automatic JWT renewal isn’t supported. You must apply updated JWT licenses manually at each renewal to make sure NGINX Plus continues to work.
  Check your subscription details, including subscription type, on MyF5.
  For more information, see K000160880: JWT license auto-renewal may fail in NGINX Plus.
• Native OIDC enhancements: Relying party (RP) initiated Logout and UserInfo endpoint.
• The auth_require module that allows access decisions to be made based on any variable values available at the time of invocation, including key-value pairs and njs variables. The module is primarily designed for authentication, especially in conjunction with OIDC.
• CUBIC Congestion Control in HTTP3/QUIC.
• Support for 103 Early Hints.
• Security: SMTP Authentication process memory over-read. This vulnerability in the NGINX ngx_mail_smtp_module may allow an unauthenticated attacker to trigger buffer over-read, resulting in worker process memory disclosure to the authentication server (CVE-2025-53859).

For highlights of all new features and enhancements in this release, see the NGINX Plus R35 release blog.

NGINX Plus R35 is supported on:

AlmaLinux 8, 9, 10
Alpine Linux 3.19, 3.20, 3.21, 3.22
Amazon Linux 2 LTS, 2023
Debian 11, 12
FreeBSD 13.5+, 14.3+
Oracle Linux 8.1+, 9
RHEL 8.1+, 9.0+, 10
Rocky Linux 8, 9
SUSE Linux Enterprise Server 15 SP6+
Ubuntu 22.04 LTS, 24.04 LTS

Notes:

• Alpine Linux 3.18 is removed
• Alpine Linux 3.19 is deprecated
• Alpine Linux 3.22 is new in this release
• AlmaLinux 10 is new in this release
• RHEL 10 is new in this release
• Ubuntu 20.04 is removed
• SLES 15 SP6 is now required
• the ACME dynamic module is new in this release.