Cybersecurity researchers disclosed a critical vulnerability in NGINX Plus and NGINX Open Source that remained undetected for 18 years. Dubbed NGINX Rift, the flaw allows unauthenticated remote code execution against millions of web servers worldwide.

The Vulnerability

CVE-2026-42945 (CVSS v4: 9.2) is a heap buffer overflow issue impacting the ngx_http_rewrite_module. The vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive combined with an unnamed Perl-Compatible Regular Expression (PCRE) capture — such as $1 or $2 — with a replacement string that includes a question mark.

Discovered by researcher "depthfirst," the flaw has been present in NGINX since version 0.6.27, first released in 2008.

Affected Versions

• Every NGINX version from 0.6.27 through 1.30.0 is affected
• Fixed versions: NGINX 1.31.0 and 1.30.1

Active Exploitation Risk

A proof-of-concept exploit has been released that includes an "ASLR-bypass chain combining the NGINX overflow with a common same-host LFI/arbitrary-file-read primitive," allowing unauthenticated remote code execution against servers using rewrite and set directives.

Given NGINX's massive market share — powering a significant portion of the world's web servers — this vulnerability represents an extremely broad attack surface.

Immediate Mitigation

If immediate patching is not an option:

• Replace unnamed captures with named captures in every affected rewrite directive
• For example, change rewrite ^/(.*)$ /$1 break; to use named capture groups

Recommendations

Organizations running NGINX should treat this as an emergency patch. Check your NGINX configuration for rewrite directives with unnamed captures and apply the available patches immediately. Given the 18-year window during which this flaw existed undetected, assume that sophisticated threat actors are already aware of it.