Critical Reverse Proxy CVEs Australian SMBs Can't Ignore in April 2026

Why Your Reverse Proxy Is Your Biggest Blind Spot

Most Australian SMBs focus hard on endpoint protection and email security. Fair enough — both matter. But the reverse proxy sitting in front of your website, API, or app is the one component that touches every single inbound request. A vulnerability here means attackers bypass your application logic entirely. They don't need credentials. They don't need a phishing email. They just need you to be unpatched.

If you run NGINX, HAProxy, Caddy, Traefik, Envoy, or Cloudflare in front of anything — and statistically, you do — here are the CVEs that matter right now.​‌‌‌​​‌​‍​‌‌​​‌​‌‍​‌‌‌​‌‌​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌‌‌​​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌‌​‍​‌‌​​

‌​‌‍​​‌​‌‌​‌‍​‌‌​​‌​​‍​‌‌​‌​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

CVE-2024-7646 — Kubernetes Ingress NGINX Auth Annotation Bypass

CVSS: 8.6 (High) Affected: Kubernetes Ingress NGINX controller versions before 1.12.1 and 1.11.5 In the wild: Yes. Actively exploited in containerised environments.

Plain English: If you run Kubernetes with the NGINX Ingress controller and use auth-url or auth-signin annotations for authentication, an attacker can craft requests that bypass your auth entirely. Every service behind that ingress is exposed — no login required.

Patch by: Upgrade Ingress NGINX controller to v1.12.1 or v1.11.5 immediately.

CVE-2024-45406 — HAProxy Email Address Buffer Over-Read

CVSS: 7.5 (High) Affected: HAProxy versions before 2.9.10, 2.8.10, and 2.6.16 In the wild: Proof-of-concept published. No confirmed mass exploitation yet.

Plain English: If you run HAProxy with email alerts configured (mailers section) and an attacker can reach a backend that returns crafted responses, HAProxy may leak memory contents. This is an information disclosure issue, not direct remote code execution — but leaked memory can contain session tokens, internal IPs, and config fragments.

Patch by: Upgrade HAProxy to 2.9.10+, 2.8.10+, or 2.6.16+.

CVE-2024-32760 — NGINX Potential SSRF via X-Accel-Redirect

CVSS: 7.0 (High) Affected: NGINX OSS versions before 1.27.1 and 1.26.2 In the wild: Disclosed publicly. Exploitation requires specific config but is straightforward for targeted attacks.

Plain English: If your NGINX config uses X-Accel-Redirect headers (common with Rails, Django, or any app that serves files through NGINX), a crafted header from your application could trick NGINX into fetching internal resources it shouldn't reach — like metadata services on cloud hosts, internal APIs, or database ports.

Patch by: Upgrade NGINX to 1.27.1+ or 1.26.2+.

CVE-2024-47907 — OAuth2-Proxy Open Redirect

CVSS: 6.1 (Medium) Affected: OAuth2-Proxy versions before 7.6.0 In the wild: Yes. Actively used in phishing campaigns that exploit trust in OAuth login flows.

Plain English: If you use OAuth2-Proxy to protect internal apps (common with Google Workspace SSO setups), an attacker can craft a URL that redirects users to a malicious site after they log in. The victim sees your real login page, authenticates successfully, then gets silently redirected. It's a trust exploit — devastating for SMBs using OAuth as their sole access control.

Patch by: Upgrade OAuth2-Proxy to 7.6.0 or later.

CVE-2023-44487 — HTTP/2 Rapid Reset (Ongoing)

CVSS: 7.5 (High) Affected: NGINX, HAProxy, Envoy, Traefik, Caddy — nearly everything speaking HTTP/2 In the wild: Yes. This was the largest DDoS attack vector of 2024. Still actively exploited.

Plain English: If any of your reverse proxies serve HTTP/2 to the internet (most do by default now), an attacker can send and cancel requests faster than your server can clean them up, exhausting resources with minimal bandwidth. This is a denial-of-service vector — your site goes offline, your API stops responding.

Patch by: All major projects shipped patches in late 2024. The question is whether you applied them. Check your versions.

5-Minute Audit Checklist

Run this right now. Open a terminal on your reverse proxy host:

1. NGINX: nginx -v — Are you on 1.27.1+ or 1.26.2+? If not, patch tonight.
2. HAProxy: haproxy -v — Are you on 2.9.10+, 2.8.10+, or 2.6.16+? Check mailers in your config.
3. Caddy: caddy version — Caddy auto-updates in most setups, but verify you're on 2.8+.
4. Kubernetes Ingress NGINX: kubectl get pods -n ingress-nginx -o jsonpath='{.items[*].spec.containers[*].image}' — Must be 1.12.1+.
5. OAuth2-Proxy: Check your deployment version — must be 7.6.0+. Grep your config for redirect-url and verify it's locked to your domain.
6. Cloudflare: No action needed on your end for edge CVEs — Cloudflare patches their edge. But verify your origin server isn't directly exposed by checking firewall rules allow traffic only from Cloudflare IP ranges.

If any check fails, treat it as a same-day fix — not next week's backlog item.

FAQ

Conclusion

Your reverse proxy is not set-and-forget infrastructure. Every major proxy has shipped critical patches in the last 12 months, and exploitation is no longer theoretical — it's automated, commoditised, and happening continuously. Run the 5-minute checklist above, patch what's behind, and subscribe to advisories for whatever you run. Five minutes of version checking today prevents a weekend of incident response later.

Need help auditing your network edge? Visit consult.lil.business for a free cybersecurity assessment.

References

1. NGINX Security Advisories — F5
2. HAProxy Security Advisories — HAProxy Technologies
3. CVE-2024-7646 Detail — NIST National Vulnerability Database
4. CVE-2023-44487 HTTP/2 Rapid Reset — Cloudflare Technical Breakdown