Amazon Linux 2 Security Advisory: ALAS2NGINX1-2026-010
Advisory Released Date: 2026-02-19
Advisory Updated Date: 2026-02-19
A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side--along with conditions beyond the attacker's control--may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. (CVE-2026-1642)
Affected Packages:
nginx
Note:
This advisory is applicable to Amazon Linux 2 - Nginx1 Extra. Visit this page to learn more about Amazon Linux 2 (AL2) Extras and this FAQ section for the difference between AL2 Core and AL2 Extras advisories.
Issue Correction:
Run yum update nginx or yum update --advisory ALAS2NGINX1-2026-010 to update your system.
aarch64:
nginx-1.28.2-1.amzn2.0.1.aarch64
nginx-core-1.28.2-1.amzn2.0.1.aarch64
nginx-mod-http-geoip-1.28.2-1.amzn2.0.1.aarch64
nginx-mod-http-image-filter-1.28.2-1.amzn2.0.1.aarch64
nginx-mod-http-perl-1.28.2-1.amzn2.0.1.aarch64
nginx-mod-http-xslt-filter-1.28.2-1.amzn2.0.1.aarch64
nginx-mod-mail-1.28.2-1.amzn2.0.1.aarch64
nginx-mod-stream-1.28.2-1.amzn2.0.1.aarch64
nginx-mod-devel-1.28.2-1.amzn2.0.1.aarch64
nginx-debuginfo-1.28.2-1.amzn2.0.1.aarch64
noarch:
nginx-all-modules-1.28.2-1.amzn2.0.1.noarch
nginx-filesystem-1.28.2-1.amzn2.0.1.noarch
src:
nginx-1.28.2-1.amzn2.0.1.src
x86_64:
nginx-1.28.2-1.amzn2.0.1.x86_64
nginx-core-1.28.2-1.amzn2.0.1.x86_64
nginx-mod-http-geoip-1.28.2-1.amzn2.0.1.x86_64
nginx-mod-http-image-filter-1.28.2-1.amzn2.0.1.x86_64
nginx-mod-http-perl-1.28.2-1.amzn2.0.1.x86_64
nginx-mod-http-xslt-filter-1.28.2-1.amzn2.0.1.x86_64
nginx-mod-mail-1.28.2-1.amzn2.0.1.x86_64
nginx-mod-stream-1.28.2-1.amzn2.0.1.x86_64
nginx-mod-devel-1.28.2-1.amzn2.0.1.x86_64
nginx-debuginfo-1.28.2-1.amzn2.0.1.x86_64