Hi to all, like the object our onpremise installation of documentserver docker version expose an nginx version 1.24.0 (from ubuntu os repo) where in this site expose a CVE graded critical NGINX CVE 2026. My question is the docker image can be upgraded for the nginx repo to the official distributed by the vendor? itis heads to us the operation or could be made by the onlyoffice mantainer? thanks in advance on helping us.
Hello, @malviven7 , thank you for reporting this.
To investigate the issue properly, please clarify which exact CVE you mean and share the CVE ID(s) together with the source where this vulnerability is reported for your NGINX version.
Please also send us your exact ONLYOFFICE Docs Docker image and tag.
Once we have these details, we will be able to check the case more precisely.
Thanks @Marix for your response. Inside the guest docker machine i call ânginx -Vâ and i receive this output
nginx version: nginx/1.24.0 (Ubuntu)
built with OpenSSL 3.0.13 30 Jan 2024
TLS SNI support enabled
configure arguments: --with-cc-opt=â-g -O2 -fno-omit-frame-pointer -mno-omit-leaf-frame-pointer -ffile-prefix-map=/build/nginx-5QYLpr/nginx-1.24.0=. -flto=auto -ffat-lto-objects -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -fdebug-prefix-map=/build/nginx-5QYLpr/nginx-1.24.0=/usr/src/nginx-1.24.0-2ubuntu7.3 -fPIC -Wdate-time -D_FORTIFY_SOURCE=3â --with-ld-opt=â-Wl,-Bsymbolic-functions -flto=auto -ffat-lto-objects -Wl,-z,relro -Wl,-z,now -fPICâ --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --modules-path=/usr/lib/nginx/modules --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-compat --with-debug --with-pcre-jit --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_v2_module --with-http_dav_module --with-http_slice_module --with-threads --with-http_addition_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_secure_link_module --with-http_sub_module --with-mail_ssl_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-stream_realip_module --with-http_geoip_module=dynamic --with-http_image_filter_module=dynamic --with-http_perl_module=dynamic --with-http_xslt_module=dynamic --with-mail=dynamic --with-stream=dynamic --with-stream_geoip_module=dynamic
If i read correctly the link i have posted this is the cve:
CVE-2026-27654
CVE-2026-27784
CVE-2026-32647
CVE-2026-27651
and in the column âAffected versionsâ is reported for every CVE nginx from 1.1.19 to 1.29.6 or from 1.0.0 to 1.29.6
The tag into the yml file is âonlyoffice/documentserver:latestâ Because is a site in production i havent PULLed the current image and iâam at this version:
Version: 8.3.3 (build:18)
I hope that these informations can help you to check the case
1 Like
Hello, @malviven7 !
Thank you very much for the detailed report, the CVE list, and the version information you provided â it was extremely helpful!
Weâve registered and updated an internal task for our team to address these NGINX vulnerabilities in the official Docker images. Unfortunately, I canât provide an exact ETA yet, but this topic is now being actively tracked on our side. Weâll share an update in this thread as soon as a fix is implemented.
Thanks again for bringing this to our attention and for taking the time to investigate it so thoroughly!
1 Like