Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Nginx 1.31 has been released as the latest mainline version, introducing HTTP forward proxy support, improved upstream load balancing, and several important security fixes.
One of the key additions is the new ngx_http_tunnel_module, which enables HTTP forward proxy functionality through the CONNECT method. The release also adds proxy authentication support using the auth_basic, satisfy, and auth_delay directives.
Another notable enhancement is the least_time directive for upstream blocks, allowing administrators to distribute HTTP and stream traffic based on response time rather than traditional methods like connection count.
For stream modules, the new proxy_ssl_alpn directive provides support for selecting ALPN protocols when connecting to SSL upstream servers.
On the security front, Nginx 1.31 patches multiple vulnerabilities. These include CVE-2026-42926, an HTTP/2 request injection flaw in ngx_http_proxy_module tied to the proxy_set_body directive, and CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module that could potentially lead to arbitrary code execution.
The release also fixes CVE-2026-42946, a heap buffer overread affecting ngx_http_scgi_module and ngx_http_uwsgi_module, along with CVE-2026-42934, a UTF-8 decoding-related buffer overread in the charset_map directive of ngx_http_charset_module.
For HTTP/3, Nginx 1.31 resolves CVE-2026-40460, an address spoofing vulnerability connected to QUIC connection migration, as well as CVE-2026-40701, a use-after-free issue during DNS response handling when the ssl_ocsp directive is enabled.
Beyond the CVE-related fixes, Nginx now blocks HTTP/2 and HTTP/3 requests containing connection-specific headers such as Connection, Proxy-Connection, Keep-Alive, Transfer-Encoding, and Upgrade. The TE header is now only permitted when set to trailers.
The WebDAV module has also been hardened, with Nginx rejecting COPY or MOVE requests when the source and destination are identical or share a parent-child collection relationship.
Additional improvements include lowering the logging severity of certain SSL-related errors, adding a configure option to disable the upstream sticky module, and fixing HTTP/2 backend keepalive handling when using proxy_set_body or proxy_pass_request_body.
Nginx 1.31 is now available through the project’s official download channels and GitHub release page.
