Nginx 1.29.8 lands with OpenSSL 4.0 support, but FreeNginx is still on 1.29.7
4 min. read 
Published on
Nginx has released version 1.29.8 as a new mainline update, adding OpenSSL 4.0 compatibility and a few notable fixes and features. The update went live on April 7, 2026, according to the project’s official news page.
The bigger correction here is that FreeNginx did not release a matching 1.29.8 build on April 7. Its latest listed mainline release is still FreeNginx 1.29.7, published on March 31, 2026.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
That matters because some write-ups have bundled the two together and described both as fresh critical security releases. The official Nginx changelog for 1.29.8 does not list new CVEs. Instead, it adds the new max_headers directive, OpenSSL 4.0 compatibility, wildcard support for include inside geo blocks, and a few bug fixes.
What Nginx 1.29.8 actually adds
The headline addition in Nginx 1.29.8 is OpenSSL 4.0 compatibility. That does not mean Nginx suddenly ships a new encryption stack of its own, but it does mean admins testing or planning for future OpenSSL 4.0 environments now have official compatibility in current mainline code.
Another notable addition is the new max_headers directive. This lets admins limit how many client request headers Nginx will accept before returning a 400 Bad Request error. The project documentation says the directive defaults to 1000 and works in the http and server contexts.
Nginx 1.29.8 also adds wildcard support for the include directive inside geo blocks. That should make large geolocation-based configurations easier to manage, especially in environments that split IP rules across many files.
What bugs were fixed
The official changelog says 1.29.8 fixes processing of HTTP 103 responses from proxied backends. Since Nginx 1.29.0 introduced support for 103 Early Hints from proxy and gRPC backends, this patch looks like a follow-up stability fix rather than a brand-new feature.
It also fixes a problem where the $request_port and $is_request_port variables were not available in subrequests. Those variables first appeared in Nginx 1.29.3, so this release addresses a gap in how they behaved in some internal request flows.
There is one more practical point for admins watching security updates closely. Nginx’s official security advisory page still shows the March fixes as the important security line in recent releases. For example, CVE-2026-27654 is listed as not affecting 1.29.7 and later, and not affecting 1.28.3 and later.
FreeNginx is following a slightly different track
FreeNginx is the fork maintained by Maxim Dounin, but its current public release track does not match the claim that FreeNginx 1.29.8 launched alongside Nginx 1.29.8. The official FreeNginx news page still lists 1.29.7 from March 31 as the latest mainline version.
Its changelog does show OpenSSL 4.0 compatibility in FreeNginx 1.29.7. That means the OpenSSL 4.0 work reached the fork already, just under a different version number than the one now shipping in upstream Nginx.
FreeNginx also had max_headers earlier. Its documentation says that directive appeared in version 1.27.1, so it is not a new feature there.
What admins should do now
If you run Nginx mainline, 1.29.8 is the latest release and it brings worthwhile compatibility and bug-fix updates. If your environment depends on mainline features, upgrading makes sense after normal testing.
If your priority is patch status for known vulnerabilities, keep the version line in mind. Nginx’s public advisories show that several recent security issues were already fixed in 1.29.7 and 1.28.3. So 1.29.8 is best described as the newest mainline maintenance update, not as the first version that closes those disclosed CVEs.
For FreeNginx users, the accurate current reference point is 1.29.7. There is no official FreeNginx 1.29.8 release listed at the time of writing.
Quick version check
| Project | Latest confirmed release | Release date | Key point |
|---|---|---|---|
| Nginx mainline | 1.29.8 | April 7, 2026 | Adds OpenSSL 4.0 compatibility, max_headers, geo wildcard include support, and bug fixes |
| Nginx stable | 1.28.3 | March 24, 2026 | One of the current branches listed as not vulnerable to several March 2026 issues |
| FreeNginx | 1.29.7 | March 31, 2026 | Includes OpenSSL 4.0 compatibility, but no official 1.29.8 release is listed |
Key takeaways
- Nginx 1.29.8 is real and officially released on April 7, 2026.
- FreeNginx did not officially release version 1.29.8 alongside it. The latest listed FreeNginx release is 1.29.7.
- Nginx 1.29.8 adds OpenSSL 4.0 compatibility and new features, but the official changelog does not present it as a dedicated CVE security drop.
- Recent disclosed Nginx vulnerabilities were already fixed in 1.29.7 and 1.28.3.
FAQ
Not in the narrow CVE sense based on the official changelog. It includes compatibility improvements and bug fixes, but Nginx’s public advisories point to 1.29.7 and 1.28.3 as the versions that already covered several recently disclosed issues.
No official FreeNginx 1.29.8 release appears on the project’s news page. The latest listed release is FreeNginx 1.29.7 from March 31, 2026.
It limits how many request header fields a client may send. If the limit is exceeded, Nginx returns HTTP 400.
Yes, after standard testing, especially if they track mainline or want OpenSSL 4.0 compatibility. But they should not assume this is the first release that fixed the recent published CVEs.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages