*) Security: when using the "proxy_set_body" directive, an attacker
   might inject data in the proxied request to an HTTP/2 backend
   (CVE-2026-42926).
   Thanks to Mufeed VH of Winfunc Research.

*) Security: a heap memory buffer overflow might occur in a worker
   process while handling a specially crafted request by
   ngx_http_rewrite_module, potentially resulting in arbitrary code
   execution (CVE-2026-42945).
   Thanks to Leo Lin.

*) Security: a heap memory buffer overread might occur in a worker
   process while handling a specially crafted response by
   ngx_http_scgi_module or ngx_http_uwsgi_module, allowing an

to cause a disclosure of worker process memory or segmentation

   in a worker process (CVE-2026-42946).
   Thanks to Leo Lin.

*) Security: a heap memory buffer overread might occur in a worker
   process while handling a specially sent response with decoding

UTF-8 via the "charset_map" directive, allowing an attacker to

a limited disclosure of worker proccess memory or segmentation

   in a worker process (CVE-2026-42934).
   Thanks to David Carlier.

*) Security: when using HTTP/3, processing of connection migration

   cause new QUIC streams to receive a new client address before
   validation, allowing an attacker to cause address spoofing
   (CVE-2026-40460).
   Thanks to Rodrigo Laneth.

*) Security: use-after-free might occur during DNS server response
   processing if the "ssl_ocsp" directive was used, allowing an

to cause worker process memory corruption or segmentation fault

   worker process (CVE-2026-40701).
   Thanks to Leo Lin.

*) Change: now nginx rejects HTTP/2 and HTTP/3 requests with the
   "Connection", "Proxy-Connection", "Keep-Alive",

   "Upgrade" header lines, and "TE" with any value other than
   "trailers".

*) Change: the ngx_http_dav_module now rejects a COPY or MOVE

   when the source and destination resources are the same or have a
   parent-child collection relationship.

*) Change: the logging level of the "invalid alert" and "record

failure" SSL errors, and of the "SSL alert number N" for any

   numbers has been lowered from "crit" to "info".

*) Change: now the "sticky" module can be disabled with the
   --without-http_upstream_sticky_module configure option; the
   --without-http_upstream_sticky configure option is deprecated.

*) Feature: the ngx_http_tunnel_module; support for authenticating

proxies in the "auth_basic", "satisfy", and "auth_delay"

*) Feature: the "least_time" directive inside the "upstream" block.

*) Feature: the "proxy_ssl_alpn" directive in the stream module.

*) Bugfix: connections with HTTP/2 backends might not be cached when
   using the "proxy_set_body" or "proxy_pass_request_body"

*) Bugfix: proxied HTTP/0.9, SCGI, or uWSGI responses might be
   transferred incorrectly if the first line was not fully read.