A vulnerability was found in F5 NGINX Plus and NGINX Open Source . It has been declared as critical . This affects an unknown function of the component Source IP Address Handler . The manipulation results in authentication bypass by spoofing. This vulnerability was named CVE-2026-40460 . The attack may be performed from remote. There is no available exploit. It is recommended to upgrade the affected component.