This article is our current position statement on recent CVE reports regarding NGINX upstream TLS verification.
Applies to: All SNS EVO Storage Systems
Risk Level: None / Not Applicable
Overview
In early 2026, CVE-2026-1642 was disclosed involving a vulnerability in NGINX. This flaw allows for a potential Man-in-the-Middle (MITM) attack if NGINX is configured to proxy traffic to upstream servers via TLS without proper certificate validation or under specific handshake conditions.
EVO uses NGINX to manage web traffic and API requests. However, the architectural implementation of NGINX within the EVO OS does not meet the requirements for this exploit.
Vulnerability Assessment
CVE-2026-1642 (Upstream TLS MITM): NOT AFFECTED.
The vulnerability specifically requires NGINX to be configured to proxy to upstream TLS servers.
While NGINX on EVO terminates TLS on the client-facing side (e.g., ports 443, 8090, and 8091), it never initiates TLS connections to backend or upstream services.
Because NGINX only communicates with internal services via non-TLS local sockets or cleartext backends within the hardened system boundary, the MITM attack vector described in the CVE cannot be triggered.
Customer Action
No action is required. Because the vulnerable configuration (Upstream TLS) does not exist in any EVO version to date, the system remains secure against this specific exploit. No patches are necessary for this CVE.