18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE Ravie Lakshmanan May 14, 2026 Vulnerability / Web Server Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years. The vulnerability, discovered depthfirst , is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests.
It has been codenamed NGINX Rift . "NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module," F5 said in an advisory released Wednesday. "This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?)." "An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests.
This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible." The issue has been addressed in the following versions after responsible disclosure on April 21, 2026 - NGINX Plus R32 - R36 (Fixes introduced in R32 P6 and R36 P4) NGINX Open Source 1.0.0 - 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0) NGINX Open Source 0.6.27 - 0.9.7 (No fixes planned) NGINX Instance Manager 2.16.0 - 2.21.1 F5 WAF for NGINX 5.9.0 - 5.12.1 NGINX App Protect WAF 4.9.0 - 4.16.0 NGINX App Protect WAF 5.1.0 - 5.8.0 F5 DoS for NGINX 4.8.0 NGINX App Protect DoS 4.3.0 - 4.7.0 NGINX Gateway Fabric 1.3.0 - 1.6.2 NGINX Gateway Fabric 2.0.0 - 2.5.1 NGINX Ingress Controller 3.5.0 - 3.7.2 NGINX Ingress Controller 4.0.0 - 4.0.1 NGINX Ingress Controller 5.0.0 - 5.4.1 In its own advisory, depthfirst said the vulnerability could allow a remote, unauthenticated attacker to corrupt the heap of an NGINX worker process by sending a crafted URI.
What makes the vulnerability severe is that it's reachable without authentication, can be reliably used to trigger the heap overflow, and can lead to remote code execution in the NGINX worker process. "An attacker who can reach a vulnerable NGINX server over HTTP can send a single request that overflows the heap in the worker process and achieves remote code execution," depthfirst said. "There is no authentication step, no prior access requirement, and no need for an existing session." "The bytes written past the allocation are derived from the attacker’s URI, so the corruption is shaped by the attacker rather than random.
Repeated requests can also be used to keep workers in a crash loop and degrade availability for every site served by the instance." Also patched in NGINX Plus and NGINX Open Source are three other flaws - CVE-2026-42946 (CVSS v4 score: 8.3) - An excessive memory allocation vulnerability in the ngx_http_scgi_module and ngx_http_uwsgi_module modules that could allow a remote, unauthenticated attacker with adversary-in-the-middle (AitM) capabilities to control responses from an upstream server to read the memory of the NGINX worker process or restart it when scgi_pass or uwsgi_pass is configured.
CVE-2026-40701 (CVSS v4 score: 6.3) - A use-after-free vulnerability in the ngx_http_ssl_module module that could allow a remote, unauthenticated attacker to have limited control of modification of data or restart the NGINX worker process when the ssl_verify_client directive is set to "on" or "optional," and the ssl_ocsp directive is set to "on." CVE-2026-42934 (CVSS v4 score: 6.3) - An out-of-bounds read vulnerability in the ngx_http_charset_module module that could allow a remote, unauthenticated attacker to disclose memory contents or restart the NGINX worker process when charset, source_charset, and charset_map, and proxy_pass with disabled buffering ("off") directives are configured.
Users are advised to apply the latest versions for optimal protection. If immediate patching is not an option for CVE-2026-42945, users are advised to change the rewrite configuration by replacing unnamed captures with named captures in every affected rewrite directive. Found this article interesting? Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share Application Security , cybersecurity , denial of service , F5 , NGINX , remote code execution , Vulnerability , Web Server ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.