*) Security: a buffer overflow might occur while handling a COPY or

request in a location with "alias", allowing an attacker to

   the source or destination path outside of the document root
   (CVE-2026-27654).
   Thanks to Calif.io in collaboration with Claude and Anthropic
   Research.

*) Security: processing of a specially crafted mp4 file by the
   ngx_http_mp4_module on 32-bit platforms might cause a worker

   crash, or might have potential other impact (CVE-2026-27784).
   Thanks to Prabhav Srinath (sprabhav7).

*) Security: processing of a specially crafted mp4 file by the
   ngx_http_mp4_module might cause a worker process crash, or might

   potential other impact (CVE-2026-32647).
   Thanks to Xint Code and Pavel Kohout (Aisle Research).

*) Security: a segmentation fault might occur in a worker process if

CRAM-MD5 or APOP authentication methods were used and

   retry was enabled (CVE-2026-27651).
   Thanks to Arkadi Vainbrand.

*) Security: an attacker might use PTR DNS records to inject data in
   auth_http requests, as well as in the XCLIENT command in the

SMTP connection (CVE-2026-28753).
Thanks to Asim Viladi Oglu Manizada, Colin Warren, Xiao Liu

   University), Yuan Tan (UC Riverside), and Bird Liu (Lanzhou
   University).

*) Security: SSL handshake might succeed despite OCSP rejecting a

   certificate in the stream module (CVE-2026-28755).
   Thanks to Mufeed VH of Winfunc Research.

*) Feature: the "multipath" parameter of the "listen" directive.

*) Feature: the "local" parameter of the "keepalive" directive in

   "upstream" block.

*) Change: now the "keepalive" directive in the "upstream" block is
   enabled by default.

*) Change: now ngx_http_proxy_module supports keepalive by default;

   default value for "proxy_http_version" is "1.1"; the "Connection"
   proxy header is not sent by default anymore.

*) Bugfix: an invalid HTTP/2 request might be sent after switching

the next upstream if buffered body was used in the
ngx_http_grpc_module.

*) Feature: session affinity support; the "sticky" directive in the
   "upstream" block of the "http" module; the "server" directive
   supports the "route" and "drain" parameters.

*) Change: now nginx limits the size and rate of QUIC stateless

   packets.

*) Bugfix: receiving a QUIC packet by a wrong worker process could

   the connection to terminate.

*) Bugfix: "[crit] cache file ... contains invalid header" messages
   might appear in logs when sending a cached HTTP/2 response.

*) Bugfix: proxying to scgi backends might not work when using

   transfer encoding and the "scgi_request_buffering" directive.
   Thanks to Mufeed VH.

*) Bugfix: in the ngx_http_mp4_module.
   Thanks to Andrew Lacambra.

*) Bugfix: nginx treated a comma as separator in the "Cookie"

   header line when evaluating "$cookie_..." variables.

*) Bugfix: in IMAP command literal argument parsing.