Question: Is Nginx Proxy Manager 2.14.0 affected by recent nginx/OpenResty CVEs?

[MikaelKW]

Hi,

I would like to ask whether Nginx Proxy Manager 2.14.0 is affected by any of the recently published nginx/OpenResty-related CVEs below:

• CVE-2026-28753
• CVE-2026-27651
• CVE-2026-32647
• CVE-2026-27784
• CVE-2026-27654

From my local check inside the Nginx Proxy Manager container, running the following command:
docker exec -it npm-app-1 nginx -V

I can for example see the following:
nginx version: openresty/1.27.1.2

My question is therefore whether Nginx Proxy Manager 2.14.0, with its bundled OpenResty 1.27.1.2 / underlying nginx version, is considered affected by any of the CVEs listed above, and whether there is any plan to update the bundled web stack to a version containing the relevant fixes/backports.

I am not reporting a new vulnerability here, only asking for clarification on the security status of the currently shipped version.

Thanks!

[jcarvajalantigua]

Hi @MikaelKW,

Thanks for the detailed question. Here is a breakdown of each CVE against NPM 2.14.0 (OpenResty 1.27.1.2 / nginx 1.27.1):

Are these CVEs technically applicable?

According to the official nginx security advisories, all five CVEs affect nginx versions up through 1.29.6, with fixes landing in 1.29.7+ and 1.28.3+. Since NPM 2.14.0 bundles OpenResty 1.27.1.2 (nginx 1.27.1), it falls within the vulnerable range for all of them:
CVE Module Severity Vulnerable range
CVE-2026-28753 ngx_mail_smtp_module (CRLF injection via DNS) Medium 0.6.27–1.29.6
CVE-2026-27651 ngx_mail (NULL ptr deref, CRAM-MD5/APOP) Low 0.5.15–1.29.6
CVE-2026-32647 ngx_http_mp4_module (buffer over-read/write) Medium 1.1.19–1.29.6
CVE-2026-27784 ngx_http_dav_module (buffer overflow) Medium 0.5.13–1.29.6
CVE-2026-27654 ngx_http_dav_module (buffer overflow) Medium 0.5.13–1.29.6
ractical risk in a standard NPM deployment

The actual exploitability in a typical NPM setup is low for the following reasons:

CVE-2026-28753 / CVE-2026-27651 require the ngx_mail_smtp_module to be in use as a mail proxy. NPM is an HTTP/HTTPS reverse proxy and does not enable mail proxying by default.

CVE-2026-32647 requires ngx_http_mp4_module to be active and an attacker to be able to trigger processing of a crafted MP4 file. NPM does not serve MP4 files directly in a standard configuration.

CVE-2026-27784 / CVE-2026-27654 require ngx_http_dav_module (WebDAV) to be enabled. NPM does not use WebDAV in its default configuration.

Fix availability

OpenResty published 1.29.2.3 (March 2026) which includes backports of all the relevant nginx security patches covering these CVEs. Updating NPM's bundled OpenResty to 1.29.2.3 would require a major version bump of the underlying web stack.

There is currently no released version of NPM that ships with a patched OpenResty. If your deployment does not expose mail proxying, WebDAV, or direct MP4 file serving through NPM, the practical risk remains low. However, tracking this for a future OpenResty bump is warranted.

Hope this helps clarify the situation.