Cybersecurity researchers have disclosed multiple security vulnerabilities affecting NGINX Plus and NGINX Open Source, including a critical flaw that reportedly remained unnoticed for nearly 18 years. The vulnerability, identified as CVE-2026-42945 and discovered by cybersecurity research firm depthfirst, affects the ngx_http_rewrite_module and could allow attackers to execute remote code or trigger denial of service conditions using specially crafted HTTP requests. The flaw, which has been assigned a CVSS v4 score of 9.2, has been codenamed NGINX Rift and is considered particularly severe due to its unauthenticated nature.
According to an advisory issued by F5 on May 14, the vulnerability occurs under specific configuration conditions within the rewrite directive. It exists when the rewrite directive is followed by another rewrite, if, or set directive while using unnamed Perl Compatible Regular Expression captures such as $1 or $2, combined with a replacement string containing a question mark. Under these circumstances, a remote attacker can exploit the issue by sending crafted HTTP requests that trigger a heap buffer overflow within the NGINX worker process. F5 stated that the vulnerability could force worker process restarts, resulting in service disruption. In systems where Address Space Layout Randomization, commonly known as ASLR, is disabled, successful exploitation may also enable remote code execution. The company explained that exploitation requires additional environmental conditions outside an attacker’s direct control, although the flaw remains accessible without authentication.
In its separate advisory, depthfirst highlighted the seriousness of the vulnerability, stating that a remote attacker capable of reaching a vulnerable NGINX server over HTTP could send a single malicious request to overflow the heap memory of the worker process and potentially achieve remote code execution. The researchers noted there is no requirement for authentication, prior access, or an active session, making the attack surface broader for exposed systems. They further explained that the data written beyond the intended memory allocation is influenced by the attacker’s crafted URI, allowing more controlled memory corruption rather than random outcomes. Repeated malicious requests could also place NGINX workers into a persistent crash cycle, affecting the availability of websites hosted on the same infrastructure and degrading service reliability.
The vulnerability was responsibly disclosed to F5 on April 21, 2026, and fixes have since been released across several supported product versions. Patches have been introduced for NGINX Plus releases R32 through R36, specifically in R32 P6 and R36 P4, while fixes for NGINX Open Source are available in versions 1.30.1 and 1.31.0. However, no planned fixes are expected for older NGINX Open Source versions between 0.6.27 and 0.9.7. Several additional products impacted by the issue include NGINX Instance Manager, F5 WAF for NGINX, NGINX App Protect WAF, F5 DoS for NGINX, NGINX App Protect DoS, NGINX Gateway Fabric, and multiple releases of NGINX Ingress Controller. Alongside CVE-2026-42945, F5 also addressed three additional vulnerabilities, including CVE-2026-42946, an excessive memory allocation issue affecting ngx_http_scgi_module and ngx_http_uwsgi_module, CVE-2026-40701, a use after free vulnerability in ngx_http_ssl_module, and CVE-2026-42934, an out of bounds read issue in ngx_http_charset_module. Security experts have advised users to immediately update to the latest software versions. For organizations unable to patch CVE-2026-42945 right away, mitigation steps include replacing unnamed captures with named captures in affected rewrite directives to reduce exposure.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
