NGINX Release Notes

nginx-1.31.1 mainline version has been released, with a fix for buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-9256).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• Fix the set-creation-date.yaml workflow by @ac000 in #1353
• Mp4: avoid adding or comparing to null pointer by @arut in #1360
• HTTP/2: limit Content-Type and Location response header length by @arut in #1359
• Mail error path fixes by @arut in #1358
• Rewrite: harden escape flags control by @arut in #1381
• Rewrite: fix buffer overflow with overlapping captures by @arut in #1395
• nginx-1.31.1-RELEASE by @pluknet in #1396
• Full Changelog: release-1.31.0...release-1.31.1

Original source

nginx-1.31.0 mainline version has been released with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926), buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-42934), address spoofing vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701). Additionally, the release features support for HTTP forward proxy and least_time load-balancing method.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• GH: add a workflow to check for the 'version bump' commit by @ac000 in #1240
• Connection specific headers by @arut in #1257
• Updated OpenSSL used for win32 builds. by @pluknet in #1269
• SSL: logging level fixes. by @bavshin-f5 in #1258
• Changes in ngx_quic_cbs_recv_rcd() by @pluknet in #1279
• SSL: log SSL_R_RECORD_LAYER_FAILURE at info level by @Smeet23 in #1267
• Restrict duplicate TE headers in HTTP/2 and HTTP/3. by @arut in #1275
• HTTP/3: optimize encoder stream memory usage by @arut in #1274
• Stream: support ALPN for proxy_ssl upstream. by @VadimZhestikov in #1109
• Prevent Undefined Behaviour in memcpy(3) via ngx_init_cycle() by @ac000 in #1082
• GH: Add various bits of GitHub automation by @ac000 in #1172
• Configure: added synonym for the upstream sticky module option by @hyuan-netizen in #1292
• Stream: evaluate proxy_ssl_alpn once by @pluknet in #1304
• Request body: fixed empty body buffering special case. by @pluknet in #977
• Configure: fix gcc version detection in some corner cases by @ac000 in #1305
• Upstream: least_time load balancing for HTTP and stream. by @saikrishnakumarreddy in #1306
• Dav: improved path validation for COPY and MOVE operations by @saikrishnakumarreddy in #1307
• Proxy: fix keepalive for HTTP/2 when no body is specified by @arut in #1314
• GH: update the stale PR/issue workflow by @ac000 in #1315
• HTTP CONNECT proxy. by @arut in #707
• Reject HTTP CONNECT method with no port after colon by @pluknet in #1335
• GH: set new issues creation date by @ac000 in #1272
• nginx-1.31.0-RELEASE by @pluknet in #1350

New Contributors

• @Smeet23 made their first contribution in #1267
• @hyuan-netizen made their first contribution in #1292
• @saikrishnakumarreddy made their first contribution in #1306

Full Changelog: release-1.29.8...release-1.31.0

Original source

nginx-1.30.1 stable version has been released with fixes for HTTP/2 request injection vulnerability in the ngx_http_proxy_module (CVE-2026-42926), buffer overflow vulnerability in the ngx_http_rewrite_module (CVE-2026-42945), buffer overread vulnerabilities in the ngx_http_scgi_module and ngx_http_uwsgi_module (CVE-2026-42946), buffer overread vulnerability in the ngx_http_charset_module (CVE-2026-42934), address spoofing vulnerability in HTTP/3 (CVE-2026-40460), and use-after-free vulnerability in OCSP requests to resolver (CVE-2026-40701).

See official CHANGES-1.30 on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

nginx-1.30.1-RELEASE by @pluknet in #1351

Full Changelog: release-1.30.0...release-1.30.1

Original source

nginx-1.30.0 stable version has been released, incorporating new features and bug fixes from the 1.29.x mainline branch — including Early Hints, HTTP/2 to backend and Encrypted ClientHello, sticky sessions support for upstreams, Multipath TCP support, the default proxy HTTP version set to HTTP/1.1 with keep-alive enabled, and more.

What's Changed

Version bump 1.29.0 by @arut in #632

QUIC: silence unknown/reserved transport param "info" messages. by @arut in #633

Fixed -Wunterminated-string-initialization with gcc15. by @arut in #631

HTTP/3: fixed NGX_HTTP_V3_VARLEN_INT_LEN value. by @arut in #640

Win32: couple of platform detection fixes by @bavshin-f5 in #457

QUIC: fixed a typo. by @nandsky in #638

OpenSSL build fixes with various no-opt. by @pluknet in #634

QUIC: fixed sending acknowledgments with limited congestion window. by @pluknet in #655

QUIC: using QUIC API introduced in OpenSSL 3.5. by @pluknet in #646

SSL: support loading keys via OSSL_STORE. by @bavshin-f5 in #436

Core: added support for TCP keepalive parameters on macOS. by @pluknet in #709

HTTP Early Hints by @arut in #326

HTTP/3: indexed field line encoding for "103 Early Hints". by @pluknet in #746

Use NULL instead of 0 as null pointer constant by @ac000 in #702

Upstream: fixed reinit request with gRPC and Early Hints. by @pluknet in #750

QUIC: disabled OpenSSL 3.5 QUIC API support by default. by @pluknet in #751

nginx-1.29.0-RELEASE by @pluknet in #752

PCRE license fix for win32 zip by @pluknet in #753

QUIC: adjusted OpenSSL 3.5 QUIC API feature test. by @pluknet in #749

OPENSSL_VERSION_NUMBER fix for OpenSSL 3.0 by @pluknet in #775

kqueue build fixes by @pluknet in #777

HTTP/3: limited prefixed integers encoded length. by @pluknet in #124

HTTP/3: fixed handling :authority and Host with port. by @arut in #772

HTTP/2: fixed flushing early hints. by @arut in #808

HTTP/2 fixes for ":authority" vs "Host" by @pluknet in #803

Certificate compression by @pluknet in #788

Auth basic: fixed file descriptor leak on memory allocation error. by @pluknet in #833

smtp module fixes by @pluknet in #842

Changes 1.29.1 by @pluknet in #843

Added a previously missed changes entry in 1.29.1 relnotes. by @pluknet in #844

Removed legacy charset directive from default config example. by @MohamedKarrab in #829

QUIC: fixed ssl_reject_handshake error handling. by @pluknet in #889

Updated link to xslscript. by @pluknet in #854

Fixed inaccurate index directive error report by @willmafh in #881

SNI: using ClientHello callback. by @pluknet in #562

AWS-LC support changes by @pluknet in #848

Upstream: overflow detection in Cache-Control delta-seconds. by @pluknet in #898

Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. by @pluknet in #893

Added F5 CLA workflow. by @Maryna-f5 in #908

SSL: fixed "key values mismatch" with object cache inheritance. by @pluknet in #740

nginx-1.29.2 changes by @pluknet in #919

SSL: support for compressed server certificates with BoringSSL. by @pluknet in #823

HTTP CONNECT infrastructure by @arut in #935

Upstream: reset local address in case of error. by @arut in #942

SSL: $ssl_sigalg, $ssl_client_sigalg. by @pluknet in #932

Geo: the "volatile" parameter. by @dplotnikov-f5 in #943

Inheritance control for add_header and add_trailer. by @arut in #918

OCSP: fixed invalid type for the 'ssl_ocsp' directive. by @roman-f5 in #938

Fixed compilation warnings on Windows after c93a0c4. by @arut in #954

Modules compatibility: increased compat section size. by @arut in #952

nginx-1.29.3 changes by @arut in #953

Configure: ensure we get the "built by ..." line in nginx -V. by @ac000 in #905

Adding support for pcre 10.47 by @thierryba in #963

SSL: changed interface of ngx_ssl_set_client_hello_callback(). by @pluknet in #968

SSL: fixed build with BoringSSL, broken by 38a701d. by @pluknet in #972

HTTP/2: extended guard for NULL buffer and zero length. by @pluknet in #978

Validate host by @pluknet in #966

Proxy: fixed segfault in URI change (issue #983). by @pluknet in #1004

OpenSSL ECH integration by @sftcd in #840

Update community health files by @alessfg in #727

SSL: avoid warning when ECH is not configured and not supported. by @QirunGao in #1011

Disabled bare LF in chunked transfer encoding. by @pluknet in #1016

HTTP/2 to upstream by @hongzhidao in #771

Quic: fixed segfault on handshake failure by @jeniksv in #1022

nginx-1.29.4-RELEASE by @pluknet in #1023

Fixed duplicate ids in the bug report template. by @bavshin-f5 in #1035

SSL: logging level of the "ech_required" TLS alert. by @arut in #1038

Win32: fixed C4319 warning with MSVC x86. by @bavshin-f5 in #1057

Add a HTTP_HOST parameter to default_params. by @ac000 in #1031

Year 2026. by @pluknet in #1076

Range filter: reasonable limit on multiple ranges. by @pluknet in #1075

Misc: moved documentation in generated ZIP archive. by @pluknet in #1078

Docs: Clarify -t option behavior in nginx man page by @uhliarik in #1089

Proxy v2 request body fixes. by @pluknet in #1058

Updated OpenSSL and PCRE used for win32 builds. by @arut in #1111

Upstream read before write by @arut in #1112

nginx-1.29.5-RELEASE by @arut in #1113

Version bump. by @arut in #1120

Proxy: fixed HTTP/2 upstream with caching enabled. by @hongzhidao in #1119

Fixed separator in parsing header lines with multiple values. by @VadimZhestikov in #1056

SCGI: fixed passing CONTENT_LENGTH in unbuffered mode. by @pluknet in #1118

Mp4: validate sync sample values in stss atom. by @CodeByMoriarty in #1147

Resolver: fixed off-by-one read in ngx_resolver_copy(). by @arut in #1152

QUIC Stateless Reset improvements by @pluknet in #1151

QUIC: fixed bpf compilation with newer Linux kernels. by @arut in #215

Updating welcome page with links and more details. by @buulam in #1138

QUIC: worker-bound stateless reset tokens. by @arut in #1159

QUIC: handle compat keylog callback errors by @lukefr09 in #1155

Added an option to skip the F5 CLA workflow. by @alessfg in #1153

IMAP bugfixes. by @pluknet in #1161

Upstream: added sticky sessions support for upstreams. by @bavshin-f5 in #1167

nginx-1.29.6 changes by @pluknet in #1177

Version bump 1.29.7. by @arut in #1181

Proxy authentication definitions. by @arut in #1178

Proxy: reset pending control frames on HTTP/2 upstream reinit. by @devnexen in #1135

gRPC: reset buffer chains on upstream reinit. by @devnexen in #1136

Multipath TCP support by @pluknet in #931

Logs: added COMPAT padding to ngx_log_t. by @dplotnikov-f5 in #1196

Upstream keepalive: enabled keepalive module by default. by @roman-f5 in #1080

Upstream keepalive: fixed parameter parsing. by @arut in #1207

Mp4: avoid zero size buffers in output. by @arut in #1149

Mp4: fixed possible integer overflow on 32-bit platforms. by @arut in #1209

Dav: destination length validation for COPY and MOVE. by @arut in #1210

Mail: host validation. by @arut in #1211

Mail: fixed clearing s->passwd in auth http requests. by @arut in #1212

Stream: fixed client certificate validation with OCSP. by @arut in #1213

nginx-1.29.7-RELEASE by @arut in #1215

Fixed the "include" directive inside the "geo" block. by @jimf5 in #1184

SSL: compatibility with OpenSSL 4.0. by @pluknet in #1183

Update CONTRIBUTING.md by @xuruidong in #1195

Upstream: fixed processing multiple 103 (early hints) responses. by @pluknet in #1241

Removed CLOCK_MONOTONIC_FAST support. by @jimf5 in #1243

Upstream: fix integer underflow in charset parsing by @DavidKorczynski in #1170

Added max_headers directive by @dekobon in #1116

fix $request_port / $is_request_port being empty if auth_request is used by @Zoey2936 in #1248

Upstream: reset early_hints_length on upstream reinit. by @devnexen in #1187

nginx-1.29.8-RELEASE by @pluknet in #1252

nginx-1.30.0-RELEASE by @pluknet in #1268

New Contributors

@MohamedKarrab made their first contribution in #829

@willmafh made their first contribution in #881

@dplotnikov-f5 made their first contribution in #943

@roman-f5 made their first contribution in #938

@sftcd made their first contribution in #840

@alessfg made their first contribution in #727

@QirunGao made their first contribution in #1011

@hongzhidao made their first contribution in #771

@jeniksv made their first contribution in #1022

@uhliarik made their first contribution in #1089

@VadimZhestikov made their first contribution in #1056

@CodeByMoriarty made their first contribution in #1147

@buulam made their first contribution in #1138

@lukefr09 made their first contribution in #1155

@devnexen made their first contribution in #1135

@jimf5 made their first contribution in #1184

@xuruidong made their first contribution in #1195

@DavidKorczynski made their first contribution in #1170

@dekobon made their first contribution in #1116

@Zoey2936 made their first contribution in #1248

Full Changelog: release-1.28.3...release-1.30.0

Original source

nginx-1.29.8 mainline version has been released.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

Fixed the "include" directive inside the "geo" block. by @jimf5 in #1184

SSL: compatibility with OpenSSL 4.0. by @pluknet in #1183

Update CONTRIBUTING.md by @xuruidong in #1195

Upstream: fixed processing multiple 103 (early hints) responses. by @pluknet in #1241

Removed CLOCK_MONOTONIC_FAST support. by @jimf5 in #1243

Upstream: fix integer underflow in charset parsing by @DavidKorczynski in #1170

Added max_headers directive by @dekobon in #1116

fix $request_port / $is_request_port being empty if auth_request is used by @Zoey2936 in #1248

Upstream: reset early_hints_length on upstream reinit. by @devnexen in #1187

nginx-1.29.8-RELEASE by @pluknet in #1252

New Contributors

@jimf5 made their first contribution in #1184

@xuruidong made their first contribution in #1195

@DavidKorczynski made their first contribution in #1170

@dekobon made their first contribution in #1116

@Zoey2936 made their first contribution in #1248

Full Changelog: release-1.29.7...release-1.29.8

Original source

nginx-1.29.7 mainline version has been released, introducing two significant updates: support for Multipath TCP and upgrading the default HTTP version to HTTP/1.1 with keep-alive enabled. This release also includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• Version bump 1.29.7. by @arut in #1181
• Proxy authentication definitions. by @arut in #1178
• Proxy: reset pending control frames on HTTP/2 upstream reinit. by @devnexen in #1135
• gRPC: reset buffer chains on upstream reinit. by @devnexen in #1136
• Multipath TCP support by @pluknet in #931
• Logs: added COMPAT padding to ngx_log_t. by @dplotnikov-f5 in #1196
• Upstream keepalive: enabled keepalive module by default. by @roman-f5 in #1080
• Upstream keepalive: fixed parameter parsing. by @arut in #1207
• Mp4: avoid zero size buffers in output. by @arut in #1149
• Mp4: fixed possible integer overflow on 32-bit platforms. by @arut in #1209
• Dav: destination length validation for COPY and MOVE. by @arut in #1210
• Mail: host validation. by @arut in #1211
• Mail: fixed clearing s->passwd in auth http requests. by @arut in #1212
• Stream: fixed client certificate validation with OCSP. by @arut in #1213
• nginx-1.29.7-RELEASE by @arut in #1215

New Contributors

• @devnexen made their first contribution in #1135

Full Changelog: release-1.29.6...release-1.29.7

Original source

nginx-1.28.3 stable version has been released. This release includes a security fix for the buffer overflow vulnerability in the ngx_http_dav_module (CVE-2026-27654), security fixes for the buffer overflow vulnerabilities in the ngx_http_mp4_module (CVE-2026-27784, CVE-2026-32647), security fixes for the mail session authentication vulnerabilities (CVE-2026-27651, CVE-2026-28753), and a security fix for the OCSP result bypass vulnerability in stream (CVE-2026-28755).

See official CHANGES-1.28 on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

Release 1.28.3 by @arut in #1216

Full Changelog: release-1.28.2...release-1.28.3

Original source

nginx-1.29.6 mainline version has been released, featuring sticky sessions support for upstreams.

See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

• Version bump. by @arut in #1120
• Proxy: fixed HTTP/2 upstream with caching enabled. by @hongzhidao in #1119
• Fixed separator in parsing header lines with multiple values. by @VadimZhestikov in #1056
• SCGI: fixed passing CONTENT_LENGTH in unbuffered mode. by @pluknet in #1118
• Mp4: validate sync sample values in stss atom. by @CodeByMoriarty in #1147
• Resolver: fixed off-by-one read in ngx_resolver_copy(). by @arut in #1152
• QUIC Stateless Reset improvements by @pluknet in #1151
• QUIC: fixed bpf compilation with newer Linux kernels. by @arut in #215
• Updating welcome page with links and more details. by @buulam in #1138
• QUIC: worker-bound stateless reset tokens. by @arut in #1159
• QUIC: handle compat keylog callback errors by @lukefr09 in #1155
• Added an option to skip the F5 CLA workflow. by @alessfg in #1153
• IMAP bugfixes. by @pluknet in #1161
• Upstream: added sticky sessions support for upstreams. by @bavshin-f5 in #1167
• nginx-1.29.6 changes by @pluknet in #1177

New Contributors

• @VadimZhestikov made their first contribution in #1056
• @CodeByMoriarty made their first contribution in #1147
• @buulam made their first contribution in #1138
• @lukefr09 made their first contribution in #1155

Full Changelog: release-1.29.5...release-1.29.6

Original source

nginx-1.29.5 mainline version has been released. This release includes a security fix for the SSL upstream injection vulnerability (CVE-2026-1642). See official CHANGES on nginx.org.

Below is a release summary generated by GitHub.

What's Changed

Fixed duplicate ids in the bug report template. by @bavshin-f5 in #1035

SSL: logging level of the "ech_required" TLS alert. by @arut in #1038

Win32: fixed C4319 warning with MSVC x86. by @bavshin-f5 in #1057

Add a HTTP_HOST parameter to default_params. by @ac000 in #1031

Year 2026. by @pluknet in #1076

Range filter: reasonable limit on multiple ranges. by @pluknet in #1075

Misc: moved documentation in generated ZIP archive. by @pluknet in #1078

Docs: Clarify -t option behavior in nginx man page by @uhliarik in #1089

Proxy v2 request body fixes. by @pluknet in #1058

Updated OpenSSL and PCRE used for win32 builds. by @arut in #1111

Upstream read before write by @arut in #1112

nginx-1.29.5-RELEASE by @arut in #1113

New Contributors

@uhliarik made their first contribution in #1089

Full Changelog: release-1.29.4...release-1.29.5

Original source