CVE-2026-1642 (nginx SSL Upstream Injection) reported against Aria Operations Management Pack Builder 2.0
Article ID: 438676
Updated On:
Products
VCF Operations/Automation (formerly VMware Aria Suite)
Issue/Introduction
- Vulnerability scanners (for example Nessus plugin 304671) may report the following finding against an Aria Operations Management Pack Builder 2.0 deployment:
nginx 1.3.0 < 1.28.2 / 1.29.x < 1.29.5 SSL Upstream Injection (CVE-2026-1642) - A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side may be able to inject plain-text data into the response from an upstream proxied server.
- The scanner identifies the issue from the Server: HTTP response header alone. The Nessus plugin output explicitly notes:
"Nessus has not tested for this issue but has instead relied only on the application's self-reported version number." - Customers using vulnerability-management workflows that auto-create tickets from banner-based findings will see this CVE flagged on Management Pack Builder 2.0.
Environment
Aria Operations Management Pack Builder 2.0
Resolution
Broadcom is aware of CVE-2026-1642.
Please refer to the release notes for existing and forthcoming product releases for any updates in relation to this CVE.
Please refer to the release notes for existing and forthcoming product releases for any updates in relation to this CVE.
Should you require further information please note this Knowledge Article ID (438676) in the problem description and contact Broadcom Support.
Feedback
Yes
No
Powered by
