NGINX Rift CVE-2026-42945: 18-Year-Old Flaw Threatens Millions of Servers

An 18-year-old security flaw has been hiding inside the world’s most widely deployed web server — and now, with a working exploit already circulating on GitHub, millions of servers running NGINX could be one crafted HTTP request away from a crash or full remote takeover. The vulnerability, officially tracked as CVE-2026-42945 and nicknamed NGINX Rift, carries a CVSS v4 score of 9.2 — placing it firmly in “critical” territory. If you run NGINX in production, read this before you do anything else today.

What Is NGINX Rift (CVE-2026-42945)?

NGINX Rift is a heap buffer overflow vulnerability residing in NGINX’s ngx_http_rewrite_module — the component responsible for handling URL rewrite rules. The bug was first introduced into the NGINX codebase way back in 2008, with version 0.6.27. That means it has silently persisted across virtually every NGINX release for the past 18 years, untouched and undetected.

On May 13, 2026, security research firm depthfirst published a coordinated disclosure alongside F5, NGINX’s parent company. Along with that disclosure, they released a working proof-of-concept (PoC) exploit on GitHub demonstrating unauthenticated remote code execution. The clock is now ticking for every unpatched server on the internet.

NGINX isn’t a niche product. It powers approximately 34% of all websites globally, operates as a reverse proxy in Kubernetes clusters, API gateways, CDN edge nodes, and load balancers worldwide. That’s hundreds of millions of installations. The blast radius here is enormous.

How the Exploit Actually Works

The vulnerability is deceptively elegant. It comes down to a size mismatch between two passes over NGINX’s rewrite replacement string.

Here’s the technical breakdown: When a rewrite directive uses an unnamed PCRE capture (like $1 or $2) with a replacement string that includes a question mark, and is then followed by another rewrite, if, or set directive in the same scope, NGINX computes the destination buffer size using one escaping method — but then writes the output using a different method.

Characters like +, %, and & expand during re-escaping, and the write operation runs past the end of the allocated memory buffer. This is a classic heap overflow — controllable, exploitable, and in this case achievable without any authentication whatsoever by sending a single specially crafted HTTP request.

The immediate impact is a denial of service: the NGINX worker process crashes or enters a restart loop, knocking your site offline. But under conditions where ASLR (Address Space Layout Randomization) is disabled — as is common in certain containerized environments and legacy server deployments — the bug escalates to full remote code execution. An attacker gets a shell on your server without ever logging in.

Which NGINX Versions Are Affected?

The scope is staggering. CVE-2026-42945 affects:

• NGINX Open Source: versions 0.6.27 through 1.30.0 (all releases from 2008 to just days ago)
• NGINX Plus: R32 through R36 (all currently supported commercial versions)

To put that in perspective: if you installed NGINX any time in the past 18 years and haven’t updated in the last 48 hours, you’re likely running a vulnerable version right now. Most Linux distributions still ship NGINX 1.26.x or 1.28.x in their default repositories — squarely in the affected range.

Why WordPress Sites Are Especially Vulnerable

If you run a WordPress site behind NGINX — and tens of millions of people do — pay close attention. The vulnerable rewrite pattern isn’t some obscure edge case. It’s baked into how WordPress permalink configurations are handled by NGINX.

The standard NGINX WordPress configuration uses rewrite rules with unnamed captures to route requests to index.php. That alone doesn’t trigger the bug — but it becomes dangerous the moment certain additional rules are layered on. Specifically, older versions of WP-Toolkit (used in cPanel and Plesk environments) automatically inject vulnerable rewrite directives when you enable either of these settings:

• Enable hotlink protection
• Block author scans (from the WP-Toolkit security audit)

If you’ve ever clicked through WP-Toolkit’s “Secure your WordPress” wizard and enabled those options, your NGINX configuration may already contain the dangerous pattern — and you’d have no idea without checking. This is a case where trying to be more secure actually opened a critical attack vector. (Speaking of server security, the recent cPanel zero-day CVE-2026-41940 showed us just how devastating web server attacks can be.)

A Working PoC Is Already Public

This isn’t just theoretical. The researchers at depthfirst published a full working proof-of-concept exploit for CVE-2026-42945 on GitHub the same day the vulnerability was disclosed — May 13, 2026. The PoC demonstrates unauthenticated remote code execution against servers with ASLR disabled.

Security professionals have a name for this situation: “N-day exploitation.” Once a PoC is public, malicious actors don’t need to do any of their own research — they can simply adapt and deploy it. Historical data shows that high-profile CVEs with public PoCs are typically weaponized by attackers within 72 hours of disclosure.

The PoC was published two days ago. The window is closing fast.

The rise of AI-assisted cyberattacks documented in Mandiant’s 2026 M-Trends report means threat actors can now adapt and weaponize exploits faster than ever. NGINX Rift is exactly the type of vulnerability that gets picked up and automated within days.

How to Patch CVE-2026-42945 Right Now

The fix is available and you should deploy it immediately. Here’s exactly what you need to do:

For NGINX Open Source Users

Upgrade to one of the following patched releases:

• NGINX 1.30.1 (stable branch, patched)
• NGINX 1.31.0 (mainline branch, patched)

On Ubuntu/Debian systems, you can check your current version with nginx -v and upgrade via:

sudo apt update && sudo apt upgrade nginx
sudo nginx -s reload

Note: Your distribution repository may not have the patched version yet. AlmaLinux confirmed testing builds are available; check your distro’s security advisories for package availability.

For NGINX Plus Users

F5 has released patches in:

• NGINX Plus R32 P6
• NGINX Plus R36 P4

Contact F5 support or use the NGINX Plus repository to apply the patch. Immediate patching is strongly recommended given the public PoC.

Temporary Mitigation If You Can’t Patch Immediately

If you cannot upgrade right now, the most effective workaround is to replace all unnamed captures with named captures in your NGINX rewrite directives. For example, change:

# Vulnerable pattern
rewrite ^/product/(.*)$ /index.php?item=$1? last;

# Safe equivalent using named capture
rewrite ^/product/(?P<slug>.*)$ /index.php?item=${slug}? last;

Switching to named captures sidesteps the buggy code path entirely since the overflow only occurs in the unnamed capture processing logic. This won’t protect you permanently, but it buys time until a full patch can be deployed.

How to Identify Vulnerable Configurations

Run this one-liner to scan your NGINX config for potentially vulnerable rewrite patterns:

grep -rn "rewrite.*\$[0-9].*?" /etc/nginx/

If this returns results, audit each one carefully. Look for rules where an unnamed capture ($1, $2) appears alongside a ? in the replacement string, followed by rewrite, if, or set in the same configuration block.

CVE-2026-42945 Disclosure Timeline

Understanding the timeline helps illustrate how seriously this was handled — and how urgently you need to act now that the information is public:

• 2008: Vulnerable code introduced into NGINX 0.6.27
• April 21, 2026: depthfirst researchers responsibly disclose to F5/NGINX
• May 13, 2026: F5 confirms, patches, and publishes coordinated advisory
• May 13, 2026: depthfirst publishes PoC exploit on GitHub
• May 13, 2026: AlmaLinux, Ubuntu, and other distros begin packaging patched versions
• May 15, 2026 (Today): Exploitation window is wide open for unpatched servers

The responsible disclosure window was tight — just 22 days from report to patch. That’s fast by industry standards, but the simultaneous release of a public PoC means defenders have almost no grace period.

The Bigger Picture: Why This Keeps Happening

NGINX Rift is a textbook example of a class of vulnerabilities security researchers call “slow burn” flaws — bugs that are introduced early in a project’s lifecycle, buried in rarely-scrutinized code, and overlooked through years of audits, updates, and security reviews. The ngx_http_rewrite_module is foundational infrastructure. Nobody was looking for bugs there because nobody thought there were any.

This isn’t a new phenomenon. The OpenSSL Heartbleed vulnerability (CVE-2014-0160) went undetected for two years before causing a global internet crisis. Log4Shell (CVE-2021-44228) existed for eight years before anyone noticed. Now NGINX Rift has beaten both of them in longevity at 18 years.

The uncomfortable truth is that the software infrastructure running the modern internet is riddled with old code that has never received serious modern security scrutiny. As AI-powered scanning tools become more accessible — as we’re already seeing in the Mandiant 2026 M-Trends data — the rate at which these dormant bugs get discovered and weaponized is only going to accelerate.

For organizations still building teams and infrastructure to handle these threats, understanding how to automate security responses with AI agents is increasingly becoming a critical skill. The manual patch-and-pray approach simply doesn’t scale against the current threat landscape.

What You Should Do Right Now

Here’s a condensed action checklist for anyone running NGINX:

1. Check your NGINX version immediately: Run nginx -v. If you’re on anything below 1.30.1, you’re vulnerable.
2. Audit your rewrite rules: Use the grep command above to find potentially dangerous patterns.
3. Check WP-Toolkit settings: If you use WP-Toolkit with hotlink protection or author scan blocking enabled, audit the generated NGINX config file.
4. Patch as soon as your distro repo has it: Don’t wait. This has a public PoC and active interest from threat actors.
5. Disable ASLR is a huge risk factor: Ensure ASLR is enabled (cat /proc/sys/kernel/randomize_va_space should return 2). If it’s 0, RCE is trivially achievable even before patching.
6. Monitor your NGINX logs for unusual patterns — large volumes of requests hitting rewrite-heavy URL paths could indicate probing activity.

The Bottom Line

NGINX Rift is the kind of vulnerability that keeps security teams up at night — and rightly so. An 18-year-old critical flaw in software serving a third of the internet, with a public exploit already available, is about as close to a “code red” scenario as the web infrastructure community gets. The good news: patches exist and are deployable right now. The bad news: most organizations won’t act fast enough.

Don’t be one of them. Patch your NGINX installations today, audit your rewrite configurations, and if you’re using WP-Toolkit security features on NGINX, treat your server as potentially compromised until you’ve verified the configuration is clean.

The vulnerability was hiding for 18 years. The exploit has been public for 48 hours. The math isn’t complicated.

---

Have you patched your NGINX installations yet? Share your experience in the comments below, or reach out if you need help auditing your configuration.