CVE-2026-27654: NGINX DAV + alias Buffer Overflow — Risk Assessment and Practical Hardening Guide

Affected Configurations Matrix

Three conditions must all be present for CVE-2026-27654 to be exploitable. Use this matrix to determine your exposure.

Affected Versions

• NGINX Open Source 0.5.13 – 1.29.6 (mainline)
• NGINX Open Source 0.5.13 – 1.28.2 (stable)
• NGINX Plus R32 – R36 (select patch levels prior to fix)

Fixed in NGINX mainline 1.29.7, stable 1.28.3, and corresponding NGINX Plus releases.

Step 1: Detect Exposure

Determine whether your NGINX installation includes the DAV module and whether any configuration triggers the vulnerable code path.

Check whether the DAV module is compiled in

nginx -V 2>&1 | grep -o '\-\-with-http_dav_module'
# If this returns output, the module is present

Check NGINX version

nginx -v 2>&1
# Vulnerable if version is below 1.29.7 (mainline) or 1.28.3 (stable)

Find vulnerable location blocks

# Search for location blocks that use alias (potential trigger)
grep -rn 'alias\s' /etc/nginx/ | grep -v '#'

# Search for DAV method directives
grep -rn 'dav_methods\|dav_access' /etc/nginx/

# Dump the full effective config and search
nginx -T 2>/dev/null | grep -B5 -A5 'alias\s'

Check for signs of exploitation

Successful exploitation crashes the worker process. Look for abnormal worker restarts and WebDAV-related signals in logs.

# Look for worker process crashes (signal 11 = SIGSEGV, signal 6 = SIGABRT)
grep -i 'signal 11\|signal 6\|worker process.*exited' /var/log/nginx/error.log

# Look for unusual COPY/MOVE requests in access logs
grep -i '"COPY\|"MOVE' /var/log/nginx/access.log | tail -20

# Check for path traversal patterns in DAV requests
grep -iE '"(COPY|MOVE).*\.\.' /var/log/nginx/access.log

Step 2: Immediate Mitigations

Apply these changes to eliminate the attack surface while you prepare the upgrade. No version change required.

Option A: Disable DAV COPY and MOVE methods

If your application does not require WebDAV COPY/MOVE functionality, remove or restrict those methods:

# Before (vulnerable):
location /files/ {
    alias /srv/data/files/;
    dav_methods PUT DELETE MKCOL COPY MOVE;
    dav_access user:rw group:r all:r;
}

# After (mitigated — COPY and MOVE removed):
location /files/ {
    alias /srv/data/files/;
    dav_methods PUT DELETE MKCOL;
    dav_access user:rw group:r all:r;
}

Option B: Block COPY/MOVE at the HTTP method level

If you cannot modify the DAV configuration directly, reject the methods before they reach the module:

location /files/ {
    alias /srv/data/files/;

    # Block the vulnerable methods
    if ($request_method ~ ^(COPY|MOVE)$) {
        return 405;
    }

    dav_methods PUT DELETE MKCOL COPY MOVE;
    dav_access user:rw group:r all:r;
}

Option C: Replace alias with root where possible

The overflow only affects the alias directive. If you can restructure your file paths to use root instead, the vulnerable code path is not triggered:

# Before (vulnerable — alias with prefix location):
location /files/ {
    alias /srv/data/files/;
    dav_methods PUT DELETE MKCOL COPY MOVE;
}

# After (not vulnerable — root directive):
# Requires that files are at /srv/data/files/ (location prefix appended to root)
location /files/ {
    root /srv/data;
    dav_methods PUT DELETE MKCOL COPY MOVE;
}

Test and reload

# Validate configuration syntax
nginx -t

# If OK, graceful reload (zero downtime)
nginx -s reload

Step 3: Patch and Upgrade

The mitigations above reduce the attack surface but upgrading to a patched version is the definitive fix.

Upgrade from official repositories

# Debian / Ubuntu (official NGINX repo)
apt update && apt install nginx

# RHEL / CentOS / Rocky / AlmaLinux
dnf update nginx

# Alpine
apk update && apk upgrade nginx

# Verify the installed version
nginx -v 2>&1
# Target: 1.29.7+ (mainline) or 1.28.3+ (stable)

Container images

# Pull patched images
docker pull nginx:1.29.7
# or stable
docker pull nginx:1.28.3

# Verify
docker run --rm nginx:1.29.7 nginx -v

Safe rollout strategy

• Canary first: Upgrade one instance behind a load balancer. Monitor error rates and worker process stability for at least 30 minutes.
• Watch for regressions: NGINX 1.29.7 and 1.28.3 also fix five other vulnerabilities. Review the full advisory list to anticipate any behavioural changes.
• Rollback plan: Keep the previous NGINX binary or container image tagged and ready. If worker crashes increase after upgrade (unlikely but possible with custom modules), roll back and investigate.

Step 4: Validate the Fix

After upgrading and applying configuration changes, verify that the vulnerability is resolved and DAV functionality (if needed) still works correctly.

Confirm patched version

nginx -v 2>&1 | grep -E '1\.29\.[7-9]|1\.29\.[1-9][0-9]|1\.28\.[3-9]|1\.28\.[1-9][0-9]|1\.[3-9][0-9]\.'
# Should match — if no output, you are still on a vulnerable version

Verify DAV methods are restricted (if mitigated)

# Test that COPY is blocked (adjust host and path to your setup)
curl -s -o /dev/null -w "%{http_code}" -X COPY \
  -H "Destination: /files/test-copy.txt" \
  http://localhost/files/original.txt
# Expected: 405 (Method Not Allowed) if COPY was disabled
# Expected: 201/204 if COPY is allowed on patched version

Verify DAV still works (if methods are required)

# Upload a test file via PUT
echo "test" | curl -s -o /dev/null -w "%{http_code}" -T - http://localhost/files/validate-test.txt
# Expected: 201 or 204

# COPY the file (only if COPY is needed and patched version is installed)
curl -s -o /dev/null -w "%{http_code}" -X COPY \
  -H "Destination: /files/validate-copy.txt" \
  http://localhost/files/validate-test.txt
# Expected: 201 or 204

# Clean up
curl -s -o /dev/null -w "%{http_code}" -X DELETE http://localhost/files/validate-test.txt
curl -s -o /dev/null -w "%{http_code}" -X DELETE http://localhost/files/validate-copy.txt

Confirm no worker crashes under normal load

# Check worker process stability over the past hour
grep -c 'worker process.*exited\|signal 11\|signal 6' /var/log/nginx/error.log
# Expected: 0 (no crashes)

# Verify worker count matches configuration
ps aux | grep 'nginx: worker' | grep -v grep | wc -l
# Should match worker_processes in nginx.conf

Step 5: Post-Fix Monitoring Checklist

Maintain elevated monitoring for at least 7 days after applying the fix. Focus on these signals.

Metrics to watch

• Worker process restarts: Any unexpected restarts after patching warrant investigation. The patched version should not crash on malformed DAV requests.
• WebDAV error rates: Monitor 4xx/5xx responses to COPY, MOVE, PUT, and DELETE methods. A spike may indicate legitimate client incompatibilities or continued attack probing.
• Unusual COPY/MOVE traffic: Attackers may continue probing even after you patch. Log and alert on COPY/MOVE requests from unexpected source IPs.
• File system integrity: If you suspect prior exploitation, compare file listings in DAV-served directories against known-good backups to detect any files placed outside the intended document root.

Log-based detection rules

# Alert on worker crashes (add to your SIEM or log monitoring)
# Pattern for NGINX error log:
#   "worker process XXXX exited on signal 11"
#   "worker process XXXX exited on signal 6"

# Count crashes in the past 24 hours
grep -c 'exited on signal' /var/log/nginx/error.log

# Monitor for COPY/MOVE probing attempts with path traversal
grep -iE '"(COPY|MOVE).*(\.\./|%2e%2e)' /var/log/nginx/access.log

File system integrity check

If you suspect prior exploitation modified file paths outside the document root, audit the parent directories:

# List recently modified files outside the expected DAV root
# Adjust /srv/data to your actual parent directory
find /srv/data -newer /srv/data/files/ -not -path '/srv/data/files/*' -ls

# Compare against a known-good backup if available
diff <(find /srv/data -type f | sort) <(cat /path/to/known-good-file-list.txt | sort)

Long-Term Hardening for WebDAV Deployments

Beyond patching CVE-2026-27654, these practices reduce the risk surface of any NGINX WebDAV deployment.

1. Restrict DAV methods to authenticated users

location /files/ {
    alias /srv/data/files/;
    dav_methods PUT DELETE MKCOL COPY MOVE;
    dav_access user:rw group:r all:r;

    # Require authentication for all write methods
    limit_except GET HEAD OPTIONS {
        auth_basic "WebDAV";
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}

2. Prefer root over alias

The alias directive has historically been a source of path-handling bugs in NGINX (this CVE is not the first). Where directory structure permits, use root instead. It avoids the string-rewriting code path that triggers this class of vulnerability.

3. Use limit_except to minimize method exposure

# Only allow the specific methods your application needs
location /files/ {
    root /srv/data;
    dav_methods PUT DELETE MKCOL;

    # Block everything except GET, HEAD, PUT, DELETE, MKCOL
    limit_except GET HEAD PUT DELETE MKCOL {
        deny all;
    }
}

4. Run NGINX with minimal modules

If you compile NGINX from source or use a custom build, only include --with-http_dav_module on instances that actually serve WebDAV. Fewer modules means fewer potential attack surfaces.

5. Automate configuration audits

Add a CI check or cron job that flags risky alias + DAV combinations:

#!/bin/bash
# audit-dav-alias.sh — flag location blocks combining alias with DAV methods
nginx -T 2>/dev/null | awk '
  /location\s/ { loc=$0; has_alias=0; has_dav=0 }
  /alias\s/    { has_alias=1 }
  /dav_methods.*COPY|dav_methods.*MOVE/ { has_dav=1 }
  /\}/         { if (has_alias && has_dav) print "WARNING: " loc " combines alias + DAV COPY/MOVE" }
'

Quick Reference: Response Checklist

References

• NGINX Official Security Advisories
• CVE-2026-27654 — CVE Record
• NVD — CVE-2026-27654
• F5 Advisory K000160382
• NGINX ngx_http_dav_module documentation
• NGINX alias directive documentation