ALPINE-CVE-2026-28755

ALPINE-CVE-2026-28755 PUBLISHED CVSS 5.400000095367432 MEDIUM

NGINX Plus and NGINX Open Source have a vulnerability in the ngx_stream_ssl_module module due to the improper handling of revoked certificates when configured with the ssl_verify_client on and ssl_ocsp on directives, allowing the TLS handshake to succeed even after an OCSP check identifies the certificate as revoked. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.

Risk Scores

CVSS v3.1

5.400000095367432

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Affected Products

Vendor	Product	Versions
Alpine:v3.23	nginx	0.8.53-r0, 0.8.54-r0, 0.8.54-r1
Alpine:v3.22	nginx	1.10.1-r9, 0, 0.8.53-r0

Timeline

Mar 24, 2026 CVE Published
Mar 26, 2026 CVE Updated
Apr 30, 2026 Distribution Patch

References

https://security.alpinelinux.org/vuln/CVE-2026-28755 advisory

Open in Interactive Console →