VMTech
+381 11 4150 20024/7 Discuss a project
← All Instagram insights VMTECH · INSTAGRAM

18-year-old flaw in NGINX ngx_http_rewrite_module enables unauthenticated RCE (CVE-2026-42945)

18-летняя уязвимость в ngx_http_rewrite_module NGINX позволяет неаутентифицированное RCE (CVE-2026-42945)

Colleagues, please note: a critical NGINX vulnerability has been disclosed.

Researchers depthfirst reported a heap buffer overflow in ngx_http_rewrite_module (CVE-2026-42945, CVSS 9.2). A specially crafted HTTP request may result in remote code execution or denial of service.

Both NGINX Open Source and NGINX Plus are affected; patches are available (e.g. R32+/1.30.1+). Three additional vulnerabilities in other modules were also fixed.

If you cannot upgrade immediately, mitigate by replacing unnamed captures ($1, $2) with named captures in rewrite directives.

Why it matters: exploitable without authentication and may compromise operational workflows.

How will you respond in your environment?

#cybersecurity #NGINX #vulnerabilities #AppSec

Latest comments

No comments yet.