A critical security vulnerability in NGINX, a widely used web server software that supports over 30% of all websites globally, has recently been confirmed as actively exploited in the wild. This alarming development follows the public disclosure of the vulnerability, which took place less than a week prior. The flaw, tracked as CVE-2026-42945 and referred to as ‘NGINX Rift,’ is marked by a severity score of 9.8 out of 10, indicating its potential to cause severe damage.
The vulnerability affects nearly all standard NGINX builds released between 2008 and May 2026, representing an exposure window of 18 years. This broad range means that a vast number of websites could potentially be at risk. The developer of NGINX, F5, responded quickly to the emerging threat by issuing an emergency patch on May 13, 2026, the same day the vulnerability was made public. Coinciding with the disclosure, security research group DepthFirst also released a working proof-of-concept exploit that enabled attackers to confirm exploitation within a matter of hours.
At the heart of this vulnerability is a component known as the ngx_http_rewrite_module, which manages URL rewriting—an essential feature present in nearly every NGINX installation. The flaw was revealed during an automated analysis of the NGINX source code powered by artificial intelligence, which took place in April 2026. Practically speaking, this vulnerability allows attackers to crash a target server with a single unauthenticated web request, meaning no password, login, or prior access is needed. Under specific conditions, the bug could also grant an attacker full control over the compromised system remotely.
Daniel Benechea, a security manager at Pentest-Tools.com, elucidated the mechanics of the vulnerability, explaining that “NGINX processes rewrite rules in two passes.” In the first pass, the server calculates memory allocation; in the second, it executes the actual writing. However, if certain conditions are met, the second pass can exceed the allocated memory, leading to a crash-and-restart loop. This situation effectively results in a denial of service. Furthermore, if a system has specific security features disabled, the vulnerability could hand control of the server directly to the attacker.
Given that NGINX operates at the perimeter of numerous internet-facing systems—handling web traffic for enterprise applications, API gateways, content delivery networks, and cloud services—the fallout from such a vulnerability could be catastrophic, potentially impacting not just individual organizations, but every system that relies on it.
Addressing the issue is not a straightforward task. F5 has provided fixes across its product range, advising affected organizations to upgrade to NGINX Open Source 1.30.1 (stable branch) or 1.31.0 (mainline), or NGINX Plus R36 P1. However, no backport patch is available for older versions, complicating the process. Security teams must understand that merely upgrading their primary NGINX installation may not suffice. In many modern cloud infrastructures, organizations may run containerized applications that include copies of NGINX within container images that won’t update automatically. Kubernetes ingress controllers, which frequently use NGINX, necessitate separate attention as well.
Benechea emphasized the importance of a careful upgrade process: “Upgrade first. Then check your container images and Kubernetes ingress controllers separately. Just upgrading your main NGINX install doesn’t automatically update those.”
For organizations unable to implement patches immediately, F5 has provided a configuration-level workaround. However, security teams caution that this approach requires manual auditing of every rewrite rule across all configuration files, which could be a significant undertaking, especially for larger or inherited deployments.
In response to the vulnerabilities, cybersecurity company Pentest-Tools.com has incorporated detection capabilities for CVE-2026-42945 into its Network Vulnerability Scanner. This tool is being made freely available, without the need for an account. It scans for the NGINX version running on a given system and flags any vulnerable instances. The tool can be accessed at the company’s website, although findings are labeled as “unconfirmed,” indicating that a flagged result suggests the presence of a vulnerable version but does not verify whether the exploit trigger conditions are activated in the system’s configuration.
The discovery of NGINX Rift also carries a significant implication for the future of vulnerability research. This flaw was uncovered not by a human researcher but through an AI-backed analysis of the NGINX source code, highlighting a shift in how vulnerabilities may be detected moving forward. Benechea remarked on the importance of this finding, noting that the existence of an 18-year-old flaw within a component included by default in every NGINX build points to issues that could remain hidden without such automated analyses.
The finding raises pressing questions about how many similar long-standing flaws might still be buried within widely utilized open-source software and whether the future of vulnerability detection will increasingly rely on automated tools.
Organizations facing this situation should take immediate action by following these critical steps:
-
Patch Immediately: Upgrade to NGINX Open Source 1.30.1 / 1.31.0 or NGINX Plus R36 P1.
-
Audit Container Images: Check for NGINX binaries embedded in container images independently from the primary installation.
-
Check Kubernetes Ingress Controllers: These often include NGINX and may require additional attention.
- Use the Free Scanner: Employ Pentest-Tools.com’s no-login scanner to determine whether exposed versions are present on the external attack surface.
In conclusion, the NGINX Rift vulnerability serves as a reminder of the vulnerabilities that can exist in seemingly secure systems, emphasizing the need for a proactive approach to security measures and updates in the ever-evolving landscape of cybersecurity.