Hackers have begun exploiting a newly patched NGINX vulnerability that can crash affected web servers and, in narrower circumstances, open a path to remote code execution.
The flaw, tracked as CVE-2026-42945 and informally called NGINX Rift, affects NGINX Open Source and NGINX Plus deployments using vulnerable rewrite configurations. It sits in the ngxhttprewrite_module and was fixed with the release of NGINX 1.30.1 stable and NGINX 1.31.0 mainline on May 13, alongside patches for several other vulnerabilities.
Security teams are treating the issue with urgency because NGINX is a core part of internet infrastructure, widely used as a web server, reverse proxy, load balancer, content cache and API gateway. Daily web technology measurements show NGINX used by roughly a third of websites whose web server is known, making even configuration-dependent flaws significant for enterprises, hosting providers and cloud platforms.
The vulnerability affects NGINX Open Source versions from 0.6.27 through 1.30.0. NGINX Plus builds in the affected range also require patching. The fixed versions are NGINX Open Source 1.30.1 and 1.31.0, while NGINX Plus users need the relevant patched releases supplied by F5.
The flaw can be triggered without authentication by sending crafted HTTP requests, but exploitation depends on a particular rewrite-rule pattern. The vulnerable condition arises when a rewrite directive is followed by another rewrite, if or set directive, and when unnamed PCRE captures such as $1 or $2 are used with a replacement string containing a question mark. That detail limits exposure compared with a universal server-wide bug, but it does not remove the risk for organisations with complex legacy configurations.
On standard deployments, exploitation is most likely to crash an NGINX worker process, causing denial of service or repeated worker restarts. Remote code execution is considered possible only under additional conditions, including environments where Address Space Layout Randomisation is disabled or otherwise ineffective. That makes the most severe outcome less likely in hardened production environments, but the memory-corruption nature of the bug has raised concern because public technical details and proof-of-concept material are already available.
Patrick Garrity of VulnCheck said exploitation activity had been detected through canary infrastructure days after public disclosure. The early exploitation window underlines a familiar pattern in edge-service security: once proof-of-concept details appear, attackers move quickly to identify exposed systems before patch cycles are complete.
The chronology is important. The issue was patched publicly on May 13. Technical analysis and exploit guidance circulated soon after. Exploitation attempts were then observed over the weekend, turning the flaw from a patch-management concern into an active threat-monitoring issue for security operations teams.
NGINX’s own advisory rates the flaw as medium severity, reflecting the configuration requirements and the likely default impact of worker crashes. External scoring has placed it at critical severity because it is remotely reachable, requires no authentication and can lead to severe impact under certain conditions. That difference is not unusual in vulnerability management, where vendor severity, CVSS scoring and real-world exploitation risk can diverge.
Administrators have two immediate priorities. The first is to upgrade affected NGINX Open Source installations to 1.30.1 or 1.31.0 and ensure workers are restarted so patched binaries are actually running. The second is to inspect rewrite rules for unnamed capture groups followed by replacement strings containing question marks, especially where rewrite, if or set directives appear in the same scope.
Where immediate patching is not possible, defenders can reduce exposure by replacing unnamed captures with named captures and by simplifying risky rewrite chains. That mitigation should be treated as temporary rather than a substitute for upgrading, because configuration reviews can miss edge cases in large estates.
The issue also has supply-chain implications. Many organisations do not run only a single manually installed NGINX instance; they depend on Linux distribution packages, container images, Kubernetes ingress controllers, appliance builds and managed application stacks. Security teams will need to verify how each platform incorporates upstream fixes rather than assuming that a package name alone confirms protection.
Linux distribution maintainers have begun pushing fixed NGINX packages into supported repositories, but patch availability varies by platform and release stream. Container users should rebuild images from patched bases and redeploy running services, while cloud and managed-service customers should confirm whether their providers have already rolled out updates.
The flaw, tracked as CVE-2026-42945 and informally called NGINX Rift, affects NGINX Open Source and NGINX Plus deployments using vulnerable rewrite configurations. It sits in the ngxhttprewrite_module and was fixed with the release of NGINX 1.30.1 stable and NGINX 1.31.0 mainline on May 13, alongside patches for several other vulnerabilities.
Security teams are treating the issue with urgency because NGINX is a core part of internet infrastructure, widely used as a web server, reverse proxy, load balancer, content cache and API gateway. Daily web technology measurements show NGINX used by roughly a third of websites whose web server is known, making even configuration-dependent flaws significant for enterprises, hosting providers and cloud platforms.
The vulnerability affects NGINX Open Source versions from 0.6.27 through 1.30.0. NGINX Plus builds in the affected range also require patching. The fixed versions are NGINX Open Source 1.30.1 and 1.31.0, while NGINX Plus users need the relevant patched releases supplied by F5.
The flaw can be triggered without authentication by sending crafted HTTP requests, but exploitation depends on a particular rewrite-rule pattern. The vulnerable condition arises when a rewrite directive is followed by another rewrite, if or set directive, and when unnamed PCRE captures such as $1 or $2 are used with a replacement string containing a question mark. That detail limits exposure compared with a universal server-wide bug, but it does not remove the risk for organisations with complex legacy configurations.
On standard deployments, exploitation is most likely to crash an NGINX worker process, causing denial of service or repeated worker restarts. Remote code execution is considered possible only under additional conditions, including environments where Address Space Layout Randomisation is disabled or otherwise ineffective. That makes the most severe outcome less likely in hardened production environments, but the memory-corruption nature of the bug has raised concern because public technical details and proof-of-concept material are already available.
Patrick Garrity of VulnCheck said exploitation activity had been detected through canary infrastructure days after public disclosure. The early exploitation window underlines a familiar pattern in edge-service security: once proof-of-concept details appear, attackers move quickly to identify exposed systems before patch cycles are complete.
The chronology is important. The issue was patched publicly on May 13. Technical analysis and exploit guidance circulated soon after. Exploitation attempts were then observed over the weekend, turning the flaw from a patch-management concern into an active threat-monitoring issue for security operations teams.
NGINX’s own advisory rates the flaw as medium severity, reflecting the configuration requirements and the likely default impact of worker crashes. External scoring has placed it at critical severity because it is remotely reachable, requires no authentication and can lead to severe impact under certain conditions. That difference is not unusual in vulnerability management, where vendor severity, CVSS scoring and real-world exploitation risk can diverge.
Administrators have two immediate priorities. The first is to upgrade affected NGINX Open Source installations to 1.30.1 or 1.31.0 and ensure workers are restarted so patched binaries are actually running. The second is to inspect rewrite rules for unnamed capture groups followed by replacement strings containing question marks, especially where rewrite, if or set directives appear in the same scope.
Where immediate patching is not possible, defenders can reduce exposure by replacing unnamed captures with named captures and by simplifying risky rewrite chains. That mitigation should be treated as temporary rather than a substitute for upgrading, because configuration reviews can miss edge cases in large estates.
The issue also has supply-chain implications. Many organisations do not run only a single manually installed NGINX instance; they depend on Linux distribution packages, container images, Kubernetes ingress controllers, appliance builds and managed application stacks. Security teams will need to verify how each platform incorporates upstream fixes rather than assuming that a package name alone confirms protection.
Linux distribution maintainers have begun pushing fixed NGINX packages into supported repositories, but patch availability varies by platform and release stream. Container users should rebuild images from patched bases and redeploy running services, while cloud and managed-service customers should confirm whether their providers have already rolled out updates.
Topics
Technology