Security: TLS handshake with a client in the stream module might succeed despite OCSP rejecting the client certificate (CVE-2026-28755); the fix was ported from nginx 1.29.7.
Security: A buffer overflow might occur in the DAV module while handling a COPY or MOVE request in a location with the alias directive, allowing an attacker to modify the source or destination path outside of the document root directory (CVE-2026-27654); the fix was ported from nginx 1.29.7.
Security: Processing of a specially crafted file by the MP4 module on 32-bit platforms might cause a worker process crash, or might have potential other impact (CVE-2026-27784); the fix was ported from nginx 1.29.7.
Security: Processing of a specially crafted file by the MP4 module might cause a worker process crash, or might have potential other impact (CVE-2026-32647); the fix was ported from nginx 1.29.7.
Security: If the CRAM-MD5 or APOP authentication methods were used in the Mail proxy module and authentication retry was enabled, then a worker process could crash (CVE-2026-27651); the fix was ported from nginx 1.29.7.
Security: When the Mail proxy module was used, an attacker using PTR DNS records could inject data in authentication HTTP requests, as well as in the XCLIENT command in the SMTP connection to the proxied server (CVE-2026-28753); the fix was ported from nginx 1.29.7.
Bugfix: Rare system errors before the connection to the proxied server might affect the peer status correctness in HTTP and stream modules; they might also lead to the crash of a worker process in a stream module; the bug had appeared in 1.9.1.
Bugfix: In configurations where the proxy_http_version 3 and proxy_set_header Host .. directives were inherited from the http block, outgoing HTTP/3 requests might be sent without the Host header.