Nginx 1.31 is now available as the latest mainline release, featuring HTTP forward proxy support, enhanced upstream load balancing, and multiple security fixes.
The primary enhancement is the ngx_http_tunnel_module, which enables HTTP forward proxying via the CONNECT method. This release also introduces proxy authentication using the auth_basic, satisfy, and auth_delay directives.
Nginx 1.31 adds the least_time directive to the upstream block, allowing administrators to balance HTTP and stream traffic based on response time instead of connection count or other methods.
For stream modules, the proxy_ssl_alpn directive now allows ALPN protocol selection when connecting to SSL upstream servers.
On the security side, Nginx 1.31 resolves CVE-2026-42926, an HTTP/2 request injection vulnerability in ngx_http_proxy_module related to the proxy_set_body directive. It also addresses CVE-2026-42945, a heap buffer overflow in ngx_http_rewrite_module that could allow arbitrary code execution.
This release also fixes CVE-2026-42946, a heap buffer overread in ngx_http_scgi_module and ngx_http_uwsgi_module, as well as CVE-2026-42934, a buffer overread related to UTF-8 decoding in the charset_map directive of ngx_http_charset_module.
For HTTP/3, Nginx 1.31 addresses CVE-2026-40460, an address spoofing vulnerability involving QUIC connection migration. It also resolves CVE-2026-40701, a use-after-free issue during DNS response processing when the ssl_ocsp directive is enabled.
In addition to CVE fixes, Nginx now rejects HTTP/2 and HTTP/3 requests with connection-specific headers, including Connection, Proxy-Connection, Keep-Alive, Transfer-Encoding, and Upgrade. The TE header is accepted only when set to trailers.
The WebDAV module has been strengthened, too, with Nginx now rejecting COPY or MOVE requests if the source and destination are identical or have a parent-child collection relationship.
Additional changes include reduced logging severity for certain SSL-related errors, an updated configure option to disable the upstream sticky module, and fixes for HTTP/2 backend keepalive behavior when using proxy_set_body or proxy_pass_request_body.
Nginx 1.31 is now available through the official download channels and the project’s GitHub release page.
