F5 has found a serious security hole in NGINX that could let attackers run any code they want or stop services by using a specially made MP4 file This article explores ngx_http_mp4_ module handles. . When the MP4 streaming module is turned on, the flaw, known as CVE-2026-32647, affects both NGinX Plus and NGINZ Open Source deployments.

The problem is with the ngx_http_mp4_ module, which handles MP4 files for pseudo-streaming. The NGINx worker process can crash and restart when it tries to process the bad file. This behavior can stop traffic for a short time, which is called a denial-of-service (DoS) condition. In more advanced cases, attackers might be able to use memory corruption to run code on the host system from a distance (RCE), but this would depend on the specific environment and how advanced the exploit is.

It is very important for organizations to upgrade to the patched versions as soon as they can. If administrators can't patch right away, they can lower the risk by only letting trusted users upload files and checking all media inputs. After making changes, administrators should check the configuration with the command s u d o n g i n x − t sudo nginx −t and then reload the service with s ud o s e r v i c e n gi n x r e l o a d sudo service nginx reload.

Xint Code and Pavel Kohout from Aisle Research, two security researchers, responsibly revealed the flaw.

This flaw does not affect other F5 products like BIG-IP Next, BIG-IQ Centralized Management, F5OS, or Distributed Cloud Services. It shows that media parsing components are still risky and that web server environments need to be set up in a safe way. Versions 1.29.7 and 1.28.3 fix it.

NGINX Open Source does not turn on the MP4 module by default.