ACCORDING to depthfirst, researchers disclosed a heap buffer overflow in the ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could enable unauthenticated remote code execution or a DoS condition, by crafting a specific URI in NGINX Plus or NGINX Open Source.
The vulnerability, nicknamed NGINX Rift, is exploitable without authentication and, if ASLR is disabled, could allow code execution in the NGINX worker process; an attacker could even force a restart or degrade availability with repeated requests.
The issue was addressed in multiple products and versions after responsible disclosure on 21 April 2026, including NGINX Plus R32–R36, NGINX Open Source 1.0.0–1.30.0, and NGINX Open Source 0.6.27–0.9.7, among others, with fixes introduced in specific patch levels such as R32 P6 and R36 P4 or in versions 1.30.1 and 1.31.0. depthfirst’s advisory notes that the vulnerability
arises when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed PCRE capture with a replacement string containing a question mark. Users are advised to apply the latest versions or, if patching cannot be immediate, to replace unnamed captures with named captures in affected rewrite directives to mitigate risk.