diff --git a/0006-Upstream-detect-premature-plain-text-response-from-S.patch b/0006-Upstream-detect-premature-plain-text-response-from-S.patch
new file mode 100644
index 0000000..ba85cc4
--- /dev/null
+++ b/0006-Upstream-detect-premature-plain-text-response-from-S.patch
@@ -0,0 +1,45 @@
+From 93ac6eae019e30fc22d2d5321acb28de549f73aa Mon Sep 17 00:00:00 2001
+From: Roman Arutyunyan <arut@nginx.com>
+Date: Thu, 29 Jan 2026 13:27:32 +0400
+Subject: [PATCH] Upstream: detect premature plain text response from SSL
+ backend.
+
+When connecting to a backend, the connection write event is triggered
+first in most cases.  However if a response arrives quickly enough, both
+read and write events can be triggered together within the same event loop
+iteration.  In this case the read event handler is called first and the
+write event handler is called after it.
+
+SSL initialization for backend connections happens only in the write event
+handler since SSL handshake starts with sending Client Hello.  Previously,
+if a backend sent a quick plain text response, it could be parsed by the
+read event handler prior to starting SSL handshake on the connection.
+The change adds protection against parsing such responses on SSL-enabled
+connections.
+---
+ src/http/ngx_http_upstream.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index 2ce9f21..70c3b46 100644
+--- a/src/http/ngx_http_upstream.c
++++ b/src/http/ngx_http_upstream.c
+@@ -2461,6 +2461,15 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
+             return;
+         }
+ 
++#if (NGX_HTTP_SSL)
++        if (u->ssl && c->ssl == NULL) {
++            ngx_log_error(NGX_LOG_ERR, c->log, 0,
++                          "upstream prematurely sent response");
++            ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR);
++            return;
++        }
++#endif
++
+         u->state->bytes_received += n;
+ 
+         u->buffer.last += n;
+-- 
+2.44.0
+
diff --git a/nginx.spec b/nginx.spec
index 69f06a5..d7221a3 100644
--- a/nginx.spec
+++ b/nginx.spec
@@ -2,7 +2,7 @@
 ## (rpmautospec version 0.6.5)
 ## RPMAUTOSPEC: autorelease, autochangelog
 %define autorelease(e:s:pb:n) %{?-p:0.}%{lua:
-    release_number = 1;
+    release_number = 2;
     base_release_number = tonumber(rpm.expand("%{?-b*}%{!?-b:1}"));
     print(release_number + base_release_number - 1);
 }%{?-e:.%{-e*}}%{?-s:.%{-s*}}%{!?-n:%{?dist}}
@@ -119,6 +119,10 @@ Patch3:            0004-Disable-ENGINE-support.patch
 # downstream patch - Compile perl module with O2
 Patch4:            0005-Compile-perl-module-with-O2.patch
 
+# https://issues.redhat.com/browse/RHEL-146516
+# upstream patch - https://github.com/nginx/nginx/commit/784fa05025cb8cd0c770f99bc79d2794b9f85b6e
+Patch5:            0006-Upstream-detect-premature-plain-text-response-from-S.patch
+
 BuildRequires:     make
 BuildRequires:     gcc
 BuildRequires:     gnupg2
@@ -640,6 +644,10 @@ fi
 
 %changelog
 ## START: Generated by rpmautospec
+* Wed Feb 11 2026 Luboš Uhliarik <luhliari@redhat.com> - 2:1.26.3-2
+- CVE-2026-1642 nginx: NGINX: Data injection via man-in-the-middle attack
+  on TLS proxied connections
+
 * Thu Feb 06 2025 Luboš Uhliarik <luhliari@redhat.com> - 2:1.26.3-1
 - New version 1.26.3