CVE-2026-8711: NGINX JavaScript Heap Overflow Risks Code Execution

/HIGH /CVSS 8.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycode-executioncwe-122
CVE-2026-8711: NGINX JavaScript Heap Overflow Risks Code Execution

The National Vulnerability Database has detailed CVE-2026-8711, a critical heap buffer overflow vulnerability in NGINX JavaScript. This flaw emerges when the js_fetch_proxy directive is configured with client-controlled NGINX variables (e.g., $http_*, $arg_*, $cookie_*) and a location that invokes ngx.fetch() from NGINX JavaScript.

An unauthenticated attacker can trigger this vulnerability by sending specially crafted HTTP requests. The immediate impact is a heap buffer overflow in the NGINX worker process, leading to a restart. More alarmingly, for systems where Address Space Layout Randomization (ASLR) is disabled, this vulnerability opens the door to remote code execution. The National Vulnerability Database assigns a CVSS score of 8.1 (HIGH).

This isn’t just a denial-of-service risk; it’s a potential remote code execution vector. Defenders need to understand the attacker’s calculus here: a simple crafted request, no authentication required, could lead to a full system compromise if ASLR is not properly implemented. Patching is non-negotiable, but a deeper look at NGINX configurations is also critical to understand exposure.

What This Means For You

  • If your organization utilizes NGINX with `js_fetch_proxy` configured with client-controlled variables, you are directly exposed. Immediately review your NGINX JavaScript configurations for the presence of `js_fetch_proxy` and client-controlled variables. Prioritize patching NGINX to mitigate CVE-2026-8711. Verify ASLR is enabled across your NGINX deployments to at least prevent the code execution scenario.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1200 Hardware Additions Privilege Escalation T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

6 rules · 6 SIEM formats

6 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2026-8711

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2026-8711
id: scw-2026-05-19-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2026-8711 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-19
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-8711/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2026-8711

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-8711 DoS NGINX JavaScript with js_fetch_proxy directive configured with client-controlled NGINX variables ($http_*, $arg_*, $cookie_*) and ngx.fetch() operation
CVE-2026-8711 RCE NGINX JavaScript with js_fetch_proxy directive configured with client-controlled NGINX variables ($http_*, $arg_*, $cookie_*) and ngx.fetch() operation on systems with ASLR disabled
CVE-2026-8711 Buffer Overflow Heap buffer overflow in NGINX worker process due to crafted HTTP requests when js_fetch_proxy is configured with client-controlled variables

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 19, 2026 at 18:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-20240 — Denial of Service

CVE-2026-20240 — In Splunk Enterprise versions below 10.2.2, 10.0.5, 9.4.11, and 9.3.12, and Splunk Cloud Platform versions below 10.4.2603.1, 10.3.2512.9, 10.2.2510.11, 10.1.2507.21, 10.0.2503.13, and 9.3.2411.129,...

vulnerabilityCVEmedium-severitydenial-of-servicecwe-20
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma

Splunk Enterprise, Cloud Vulnerability Exposes Session Cookies, Sensitive Data

CVE-2026-20239 — In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a...

vulnerabilityCVEhigh-severitycwe-532
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 5 IOCs /⚙ 4 Sigma

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged

CVE-2026-20238 — In Splunk AI Toolkit versions below 5.7.3, a low-privileged user that does not hold the 'admin' or 'power' roles could access confidential data...

vulnerabilityCVEmedium-severitycwe-863
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 2 Sigma