NGINX Rift CVE-2026-42945: The 18-Year-Old Vulnerability Now Actively Exploiting Servers
Table of Contents
Table of Contents
An 18-year-old vulnerability hiding inside the world’s most popular web server just became a weapon. CVE-2026-42945 — dubbed NGINX Rift — is a critical heap buffer overflow flaw in NGINX’s URL rewriting module that enables unauthenticated remote code execution (RCE). It was introduced in 2008, it affects every major version of NGINX released in the past 18 years, and it is now being actively exploited in the wild.
If you run NGINX and you haven’t patched yet, you need to stop reading this article and do that first. Come back when you’re done. We’ll wait.
For everyone else, here’s what happened, why it took 18 years to find, how it works, and what it means for the millions of servers currently running vulnerable code.
What Is NGINX Rift (CVE-2026-42945)?
NGINX Rift is a heap buffer overflow in the ngx_http_rewrite_module — the component responsible for processing URL rewrite rules. The vulnerability was assigned a CVSS score of 9.2 (Critical), and for good reason: under specific configuration conditions, an unauthenticated remote attacker can send a crafted HTTP request that corrupts the heap of an NGINX worker process, potentially achieving full remote code execution.
The vulnerability was discovered in April 2026 by security firm depthfirst during a routine code audit — but in a twist that defines the current era of AI-powered security research, the bug wasn’t found by a human analyst. An autonomous AI-powered analysis system flagged it. Eighteen years of human eyes on NGINX code never caught it. An AI found it in weeks.
That detail alone is worth sitting with.
Which Versions Are Affected?
The scope of this vulnerability is staggering. NGINX Rift affects:
- NGINX Open Source versions 0.6.27 through 1.30.0 (introduced 2008, affects virtually every production deployment)
- NGINX Plus R32 through R36
- NGINX Instance Manager
- NGINX App Protect WAF
- NGINX Ingress Controller
NGINX powers an estimated 34% of all active websites globally — hundreds of millions of servers. Even a small percentage of those running vulnerable configurations represents an enormous attack surface. Security researchers at AlmaLinux confirmed patches were released in NGINX versions 1.30.1 and 1.31.0 on May 13, 2026.
How Does the Exploit Work? (Technical Breakdown)
The vulnerability lives in a very specific interaction within NGINX’s rewrite rule processing. For the bug to be exploitable, the server configuration must use a rewrite directive that:
- Is followed by a
rewrite,if, orsetdirective - Uses an unnamed Perl-Compatible Regular Expression (PCRE) capture group (e.g.,
$1,$2) - Includes a replacement string containing a question mark (
?)
When these conditions align, an attacker can send a crafted URI that causes the rewrite module to write beyond the bounds of its allocated heap buffer. The corruption of the NGINX worker process’s heap is the foothold — from there, with the right payload, arbitrary code execution becomes achievable.
This is a classic memory safety bug of the kind that plagues C codebases: a bounds check was missing, edge cases in regex capture handling weren’t accounted for, and because the bug required a specific combination of directives to trigger, it hid invisibly in production configurations for nearly two decades.
Security researchers at Picus Security have published a detailed technical breakdown of the vulnerability for defenders and threat hunters.
Active Exploitation: What Attackers Are Doing Right Now
The vulnerability didn’t stay theoretical for long. Within days of public disclosure, security monitoring services began detecting exploitation attempts in the wild. The attack pattern follows a familiar playbook:
- Mass scanning for NGINX servers with vulnerable configurations
- Automated exploitation attempting RCE to establish initial access
- Backdoor implantation on successfully compromised hosts
- Lateral movement into internal networks once a foothold is established
The combination of the vulnerability’s age (meaning most security teams never expected it), its widespread presence in production configs, and the availability of working exploit code has made NGINX Rift one of the most actively targeted vulnerabilities of 2026. This mirrors the pattern seen in other devastating server-side vulnerabilities like Log4Shell and the 2026 cPanel zero-day that compromised 44,000 servers.
Is Your Server Vulnerable? How to Check
Not all NGINX deployments are vulnerable — the exploit requires a specific type of rewrite rule configuration. To check if your server is at risk:
Step 1: Check your NGINX version
nginx -vIf you’re running anything below 1.30.1, you’re running vulnerable software. Patch immediately.
Step 2: Audit your rewrite rules
Search your NGINX configuration files for patterns that use unnamed capture groups followed by ? in the replacement string. The NGINX security advisories page at nginx.org includes configuration examples of vulnerable patterns.
Step 3: Apply the patch
Update to NGINX 1.30.1 (stable) or 1.31.0 (mainline). For NGINX Plus customers, F5 has released patches for all affected versions — check the F5 security advisory for your specific version.
Step 4: Workaround (if patching isn’t immediately possible)
Rewrite vulnerable regex patterns to use named captures instead of unnamed captures. For example, replace (\w+) with (?P<name>\w+) and reference it as $name. This eliminates the vulnerable code path without requiring a version upgrade.
The AI Angle: How a Machine Found What Humans Missed for 18 Years
The discovery story of NGINX Rift is arguably more significant than the vulnerability itself — and it’s a preview of a seismic shift in how security research works.
depthfirst’s autonomous AI system was performing a static analysis of NGINX’s codebase when it identified the anomalous memory access pattern in the rewrite module. Human security researchers had reviewed this code repeatedly over 18 years — during security audits, bug bounty programs, open-source contributions, and academic research. The bug evaded all of them.
Why? Because the exploit path requires a very specific combination of three conditions that, individually, appear perfectly safe. Human reviewers tend to analyze code paths in isolation. The AI analyzed the full interaction graph across the entire module and flagged the edge case that humans kept skipping.
This is the same capability that Anthropic’s Claude Mythos demonstrated when it was reported to have identified thousands of zero-day vulnerabilities across every major operating system. AI-powered vulnerability discovery is no longer theoretical. It’s operational. And the same tools that defenders use to find bugs are available to attackers.
Impact Assessment: Who Is Most at Risk?
NGINX Rift is particularly dangerous for organizations running:
- Legacy NGINX deployments — older servers that haven’t been updated in years and likely have complex rewrite rule sets
- WordPress and PHP application servers — NGINX is extremely common as a reverse proxy for WordPress, and many WordPress server configurations use complex rewrite rules for clean URLs
- API gateways — NGINX is widely deployed as an API gateway in microservices architectures, making it a high-value target for attackers seeking access to backend services
- CDN and edge infrastructure — many CDN providers use NGINX at the edge; a successful exploit here could have massive downstream impact
- Cloud-native environments — NGINX Ingress Controller is the most popular Kubernetes ingress controller; vulnerable versions in container clusters present a significant lateral movement risk
Patch Now. No Exceptions.
NGINX Rift is the kind of vulnerability that defines a before and after. Before public disclosure, it was a hidden flaw. After disclosure, with exploit code circulating and mass scanning underway, every unpatched NGINX server is a ticking clock.
The patch is available. The workaround is documented. There is no legitimate reason to remain vulnerable. This isn’t a “we’ll get to it next quarter” situation — active exploitation is happening right now.
Patch. Audit your rewrite configs. Monitor your access logs for unusual URI patterns. And if you want to understand the broader threat landscape driving incidents like this, read the full Mandiant M-Trends 2026 report breakdown — the picture it paints of how fast the attack-defense cycle is accelerating should motivate every ops team to take patch management more seriously.
Sources: The Hacker News, BleepingComputer, AlmaLinux, Picus Security, NGINX Security Advisories
