NGINX vulnerabilities CVE-2026-42530 and CVE-2026-42055

[mpietersma]

Describe the bug
NGINX vulnerabilities
https://www.cve.org/CVERecord?id=CVE-2026-42530
https://www.cve.org/CVERecord?id=CVE-2026-42055

Current nginx version in NPM: 1.29.2.5

Fixed in nginx version 1.31.2

Nginx Proxy Manager Version
v2.15.1

Additional context
https://thehackernews.com/2026/06/f5-patches-two-critical-nginx-open.html

[mpietersma]

Workaround

• Assuming you are using a docker compose file and not a simple docker run command!

• Step into the NPM container
  docker exec -it {container name} bash
  nginx -v

• Update generic
  apt update

• Skip apt upgrade, is nog really needed, unless you want to try and update all
• Install needed packages for procedure
  apt install curl gnupg2 ca-certificates lsb-release debian-archive-keyring -y

• Install gpg key and add repo.
  curl https://nginx.org/keys/nginx_signing.key | gpg --dearmor | tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null
  echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] https://nginx.org/packages/mainline/debian lsb_release -cs nginx" | tee /etc/apt/sources.list.d/nginx.list
  echo -e "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" | tee /etc/apt/preferences.d/99nginx

• Install nginx latest version and answer N (no) to all questions
  apt install nginx

• Exit container and restart container. - DON't do a docker compose down and up again, then you lose the above again.
  exit
  docker restart {container name}
  docker exec -it {container name} nginx -v

Test
Test if your websites are still working!
If not, roll back with: docker compose down && docker compose up -d