diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch
new file mode 100644
index 0000000000..37e6d5b3b4
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.24.0/CVE-2026-28755.patch
@@ -0,0 +1,48 @@
+From 78f581487706f2e43eea5a060c516fc4d98090e8 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 17 Mar 2026 19:20:03 +0400
+Subject: [PATCH] Stream: fixed client certificate validation with OCSP.
+
+Check for OCSP status was missed in 581cf2267, resulting
+in a broken validation.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-28755
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stream/ngx_stream_ssl_module.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index 1ba1825..c8e8323 100644
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -335,6 +335,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+     long                    rc;
+     X509                   *cert;
+     ngx_int_t               rv;
++    const char		    *str;
+     ngx_connection_t       *c;
+     ngx_stream_ssl_conf_t  *sslcf;
+ 
+@@ -385,6 +386,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+ 
+             X509_free(cert);
+         }
++
++        if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
++            ngx_log_error(NGX_LOG_INFO, c->log, 0,
++                          "client SSL certificate verify error: %s", str);
++
++            ngx_ssl_remove_cached_session(c->ssl->session_ctx,
++                                       (SSL_get0_session(c->ssl->connection)));
++            return NGX_ERROR;
++        }
+     }
+ 
+     return NGX_OK;
+-- 
+2.50.1
+
diff --git a/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2026-28755.patch b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2026-28755.patch
new file mode 100644
index 0000000000..fdb3dbb7e5
--- /dev/null
+++ b/meta-webserver/recipes-httpd/nginx/nginx-1.25.5/CVE-2026-28755.patch
@@ -0,0 +1,48 @@
+From 78f581487706f2e43eea5a060c516fc4d98090e8 Mon Sep 17 00:00:00 2001
+From: Sergey Kandaurov <pluknet@nginx.com>
+Date: Tue, 17 Mar 2026 19:20:03 +0400
+Subject: [PATCH] Stream: fixed client certificate validation with OCSP.
+
+Check for OCSP status was missed in 581cf2267, resulting
+in a broken validation.
+
+Reported by Mufeed VH of Winfunc Research.
+
+CVE: CVE-2026-28755
+Upstream-Status: Backport [https://github.com/nginx/nginx/commit/78f581487706f2e43eea5a060c516fc4d98090e8]
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+---
+ src/stream/ngx_stream_ssl_module.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
+index 6dee106..9357d09 100644
+--- a/src/stream/ngx_stream_ssl_module.c
++++ b/src/stream/ngx_stream_ssl_module.c
+@@ -342,6 +342,7 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+     long                        rc;
+     X509                       *cert;
+     ngx_int_t                   rv;
++    const char			*str;
+     ngx_connection_t           *c;
+     ngx_stream_ssl_srv_conf_t  *sscf;
+ 
+@@ -392,6 +393,15 @@ ngx_stream_ssl_handler(ngx_stream_session_t *s)
+ 
+             X509_free(cert);
+         }
++
++        if (ngx_ssl_ocsp_get_status(c, &str) != NGX_OK) {
++            ngx_log_error(NGX_LOG_INFO, c->log, 0,
++                          "client SSL certificate verify error: %s", str);
++
++            ngx_ssl_remove_cached_session(c->ssl->session_ctx,
++                                       (SSL_get0_session(c->ssl->connection)));
++            return NGX_ERROR;
++        }
+     }
+ 
+     return NGX_OK;
+-- 
+2.50.1
+
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
index e5666f6fe6..17dab85788 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.24.0.bb
@@ -2,7 +2,10 @@ require nginx.inc
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=175abb631c799f54573dc481454c8632"
 
-SRC_URI:append = " file://CVE-2023-44487.patch"
+SRC_URI:append = " \
+                  file://CVE-2023-44487.patch \
+                  file://CVE-2026-28755.patch \
+"
 
 SRC_URI[sha256sum] = "77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d"
 
diff --git a/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb b/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb
index b8ab1ef59e..bb2dda0c13 100644
--- a/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb
+++ b/meta-webserver/recipes-httpd/nginx/nginx_1.25.5.bb
@@ -6,5 +6,7 @@ DEFAULT_PREFERENCE = "-1"
 
 LIC_FILES_CHKSUM = "file://LICENSE;md5=a6547d7e5628787ee2a9c5a3480eb628"
 
+SRC_URI:append = " file://CVE-2026-28755.patch"
+
 SRC_URI[sha256sum] = "2fe2294f8af4144e7e842eaea884182a84ee7970e11046ba98194400902bbec0"