F5 published security advisories for two NGINX mail-related vulnerabilities affecting the ngx_mail_auth_http_module and ngx_mail_smtp_module. The issues were assigned CVE-2026-27651 and CVE-2026-28753, respectively, and were disclosed through F5's product advisory channel for NGINX.
The advisories identify separate flaws in components used to support mail authentication over HTTP and SMTP handling within NGINX's mail functionality. While the published entries did not include public synopses, the disclosures indicate that organizations using NGINX mail modules should review the vendor advisories, determine whether the affected modules are enabled in their environments, and apply any recommended updates or mitigations from F5.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
Microsoft added CVE-2026-27651 to its Security Update Guide as a vulnerability affecting the NGINX ngx_mail_auth_http_module. The reference provides no synopsis or further technical details beyond the advisory topic.
Microsoft added CVE-2026-28753 to its Security Update Guide as a vulnerability affecting the NGINX ngx_mail_proxy_module. The reference provides no synopsis or further technical details beyond the advisory topic.
F5 published a product advisory for a vulnerability in the NGINX ngx_mail_smtp_module, tracked as CVE-2026-28753. The reference does not include further synopsis or impact details.
F5 published a product advisory for a vulnerability in the NGINX ngx_mail_auth_http_module, tracked as CVE-2026-27651. The reference provides no additional synopsis or technical details beyond the advisory topic.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
msrc.microsoft.com
Open sourcemsrc.microsoft.com
Open sourcemy.f5.com
Open sourcemy.f5.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.