18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE
18-year-old NGINX rewrite-module flaw (CVE-2026-42945, CVSS 9.8) enables unauthenticated RCE. Actively exploited. Upgrade to NGINX 1.27.0 mainline or 1.26.3 stable immediately.
What’s new: A critical vulnerability, CVE-2026-42945, has been identified in NGINX’s rewrite module, allowing unauthenticated remote code execution (RCE). This flaw, which has existed for 18 years, can be exploited by attackers to crash worker processes and potentially execute arbitrary code on affected servers. The vulnerability has a CVSS score of 9.8 (CRITICAL) and is actively being exploited in the wild.
Who’s affected
This vulnerability impacts all NGINX versions prior to 1.27.0 (mainline) and 1.26.3 (stable). Users running these versions on production systems are at significant risk, especially if their configurations include the rewrite module.
What to do
- Upgrade NGINX to version 1.27.0 (mainline) or 1.26.3 (stable) immediately to mitigate the risk.
- Review server configurations to ensure that any unnecessary modules, particularly the rewrite module, are disabled if not in use.
- Monitor server logs for unusual activity that may indicate exploitation attempts.
- Implement web application firewalls (WAFs) to provide an additional layer of security against potential attacks.
