NGINX CVE‑2026‑42945 unauth RCE

F5 and NGINX disclosed a security flaw on May 13 in the `ngx_http_rewrite_module` that can let an unauthenticated attacker crash an NGINX worker process and, in some cases, execute code. The issue is tracked as CVE-2026-42945 and affects both NGINX Open Source and NGINX Plus, according to F5’s security advisory. NGINX said fixed releases are 1.30.1 in the stable branch and 1.31.0 in the mainline branch. The company’s public advisory page lists vulnerable versions as 0.6.27 through 1.30.0. ### Which part of NGINX is vulnerable? F5 said the flaw is in the `ngx_http_rewrite_module`, a component used to process rewrite rules and conditional request handling. The advisory says the vulnerability exists when a `rewrite` directive is followed by a `rewrite`, `if`, or `set` directive and uses an unnamed Perl-Compatible Regular Expression capture such as `$1` or `$2` with a replacement string that includes a question mark. (my.f5.com) NGINX’s security advisories page describes CVE-2026-42945 as a buffer overflow in the rewrite module. The same page says the issue does not affect versions 1.30.1 and later in the stable line or 1.31.0 and later in the mainline line. ### How could an attacker trigger it? F5 said an unauthenticated attacker can exploit the flaw by sending crafted HTTP requests, though the company added that exploitation also depends on conditions beyond the attacker’s control. (my.f5.com) The immediate effect described in the advisory is a heap buffer overflow in the NGINX worker process that can lead to a restart. F5 also said systems with Address Space Layout Randomization disabled face a higher risk because code execution is possible in that configuration. (nginx.org) The company described the issue as a data-plane problem and said there is no control-plane exposure. ### How broad is the affected version range? NGINX said the vulnerable range starts at version 0.6.27 and runs through 1.30.0. (my.f5.com) That span means the bug was present across much of the project’s release history before the May 13 fixes landed in current supported branches. The vendor’s news archive said the May 13 releases of nginx-1.30.1 and nginx-1.31.0 included fixes not only for CVE-2026-42945 but also for several other vulnerabilities disclosed the same day. (my.f5.com) Those included CVE-2026-42926, CVE-2026-42946, CVE-2026-42934, CVE-2026-40460 and CVE-2026-40701. ### Why are AI gateway operators paying attention? F5’s NGINX business has been promoting Gateway Fabric and related tooling for AI and modern application traffic. (nginx.org) A February 5 post on the NGINX Community Blog said Gateway Fabric 2.4.0 added features intended to help operators deliver AI workloads, including support tied to the Gateway API Inference Extension. (nginx.org) An earlier NGINX Community Blog post on using NGINX as an AI proxy said operators use NGINX for traffic control, authentication, authorization and rate limiting in front of AI services. That means deployments using rewrite logic in front of inference endpoints may need to review configurations and upgrade paths closely, based on the affected module and version ranges described in the advisories. That last point is an inference drawn from the vendor’s product documentation and advisory, not a separate statement by F5. (blog.nginx.org) ### What should operators do now? NGINX said patched releases are available in versions 1.30.1 and 1.31.0. F5’s advisory directs users to product-specific tables to determine whether a given release is vulnerable and where fixes, point releases or hotfixes have been introduced. F5’s quarterly security notification published May 13 links the newly announced issues to detailed advisory articles for customers reviewing exposure across product lines. (blog.nginx.org) The next concrete step for operators is to compare deployed versions against the May 13 advisory tables and move affected NGINX Open Source or NGINX Plus instances to fixed releases. (my.f5.com 1) (my.f5.com 2)