CVE-2026-9256 – Critical vulnerability in Nginx

Posted on by in Skill Plan News, Unkategorisiert

Security Advisory

CVE-2026-9256 – Critical vulnerability in Nginx

Affected: Skillplan Secure Access (SPSA) – Patch available

CVE identifier

CVE-2026-9256

Severity

Critical

Affected component

Nginx (SPSA stack)

Patch status

Available

Published

May 27, 2026

Summary

A critical vulnerability has been identified in the Nginx component, which is used as an integral part of the SPSA stack (Skillplan Secure Access), and published under the identifier CVE-2026-9256.

The vulnerability only affects Nginx – the SPSA application itself as well as its configuration and user data are not directly affected by the gap. However, as Nginx operates as a reverse proxy and central HTTP gateway within the SPSA container stack, it is imperative that all productive SPSA instances are updated promptly.

Note on affectedness

All SPSA deployments that run Nginx as part of the Docker compose stack are affected by this vulnerability. This includes all standard and customized SPSA installations, regardless of the SPSA version used.

Technical background

Nginx assumes the role of an upstream reverse proxy in the SPSA architecture. It terminates incoming HTTPS connections, forwards requests to the Guacamole backend services and provides authenticated web access to the SPSA interface.

CVE-2026-9256 describes a vulnerability in the HTTP request processing of Nginx that can be exploited by unauthenticated attackers under certain circumstances. Details on the technical nature of the attack vector will be published in full after the coordinated disclosure period.

Attack vector

Network-based – exploitation is possible without local access to the system, provided the Nginx port is accessible. There is an increased need for action for SPSA instances with direct Internet exposure.

Available patch

Skillplan GmbH is now providing updated Docker images for the SPSA stack. The patched images contain the corrected Nginx version and completely close CVE-2026-9256.

The update is delivered via the regular SPSA container repositories and does not require any changes to the configuration or existing user data. A complete reinstallation is not necessary.

Patch available

The corrected SPSA container image is now available via the standard repositories. The update is carried out by importing the new images as part of the regular SPSA update procedure. Affected customers will receive detailed instructions directly by e-mail.

Recommended measure

We recommend that all SPSA operators install the security update as soon as possible. During the update process, there will be a brief, planned interruption to SPSA services. We recommend carrying out the procedure outside of productive usage times.

If you have any questions about how your specific installation is affected or need assistance with the update, please contact our support team.

Support & technical queries

support@skill-plan.com

Skillplan GmbH – Security Advisory – May 27, 2026 – This document will be updated as new information becomes available.