NGINX Rift: Critical Vulnerability and Available Fix Versions 📌

A newly disclosed vulnerability in NGINX Open Source and NGINX Plus, commonly referred to as “NGINX Rift” (CVE-2026-42945), affects the core request handling logic of the server and can lead to denial of service or potential remote code execution under certain conditions. The issue is classified as critical and impacts a wide range of deployments due to its long-standing presence in the rewrite module code path.

Affected Scope (High Level) • NGINX Open Source (legacy versions up to 1.30.0) • NGINX Plus release series up to affected builds • Common reverse proxy and web gateway configurations using rewrite rules

Fixed Versions (Nginx Open Source) The vulnerability has been addressed upstream in the following stable releases: • NGINX Open Source 1.30.1 (patch release) • NGINX Open Source 1.31.0 (latest fixed branch) All deployments should upgrade to one of these versions or later.

Additional Mitigation Guidance If immediate upgrade is not possible, common defensive actions include: • Reviewing and reducing complex rewrite configurations • Avoiding risky rewrite patterns where possible • Applying temporary WAF or traffic filtering rules • Monitoring for unexpected worker process crashes However, these are only interim measures -- version upgrade is the only complete fix.

Key Takeaway NGINX Rift is a reminder that even mature, widely deployed infrastructure components can contain long-lived vulnerabilities. The most reliable mitigation remains rapid patch adoption and version hygiene across all environments, especially for internet-facing systems.

At Vauman, we help companies maintain secure and scalable cloud-based systems for international markets. In today’s evolving threat landscape, proactive maintenance and timely security updates are essential for protecting critical infrastructure.