{"id":245774,"date":"2026-05-14T02:00:00","date_gmt":"2026-05-14T06:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/18-year-old-nginx-rewrite-module-flaw-enables-unauthenticated-rce\/"},"modified":"2026-05-14T08:40:07","modified_gmt":"2026-05-14T12:40:07","slug":"18-year-old-nginx-rewrite-module-flaw-enables-unauthenticated-rce","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/14\/18-year-old-nginx-rewrite-module-flaw-enables-unauthenticated-rce\/","title":{"rendered":"18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/18-year-old-nginx-rewrite-module-flaw.html\">18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/18-year-old-nginx-rewrite-module-flaw.html\">https:\/\/thehackernews.com\/2026\/05\/18-year-old-nginx-rewrite-module-flaw.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-14 02:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 14, 2026<\/span><\/span><span class=\"p-tags\">Vulnerability \/ Web Server<\/span><\/p>\n<p>Cybersecurity researchers have disclosed multiple security vulnerabilities impacting NGINX Plus and NGINX Open, including a critical flaw that remained undetected for 18 years.<\/p>\n<p>The vulnerability, discovered by depthfirst, is a heap buffer overflow issue impacting ngx_http_rewrite_module (CVE-2026-42945, CVSS v4 score: 9.2) that could allow an attacker to achieve remote code execution or cause a denial-of-service (DoS) with crafted requests. It has been codenamed <strong>NGINX Rift<\/strong>.<\/p>\n<p>&#8220;NGINX Plus and NGINX Open Source have a vulnerability in the ngx_http_rewrite_module module,&#8221; F5 said in an advisory released Wednesday. &#8220;This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?).&#8221;<\/p>\n<p>&#8220;An unauthenticated attacker, along with conditions beyond its control, can exploit this vulnerability by sending crafted HTTP requests. This may cause a heap buffer overflow in the NGINX worker process, leading to a restart. Additionally, for systems with Address Space Layout Randomization (ASLR ) disabled, code execution is possible.&#8221;<\/p>\n<p>The issue has been addressed in the following versions after responsible disclosure on April 21, 2026 &#8211;<\/p>\n<ul>\n<li>NGINX Plus R32 &#8211; R36 (Fixes introduced in R32 P6 and R36 P4)<\/li>\n<li>NGINX Open Source 1.0.0 &#8211; 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0)<\/li>\n<li>NGINX Open Source 0.6.27 &#8211; 0.9.7 (No fixes planned)<\/li>\n<li>NGINX Instance Manager 2.16.0 &#8211; 2.21.1<\/li>\n<li>F5 WAF for NGINX 5.9.0 &#8211; 5.12.1<\/li>\n<li>NGINX App Protect WAF 4.9.0 &#8211; 4.16.0<\/li>\n<li>NGINX App Protect WAF 5.1.0 &#8211; 5.8.0<\/li>\n<li>F5 DoS for NGINX 4.8.0<\/li>\n<li>NGINX App Protect DoS 4.3.0 &#8211; 4.7.0<\/li>\n<li>NGINX Gateway Fabric 1.3.0 &#8211; 1.6.2<\/li>\n<li>NGINX Gateway Fabric 2.0.0 &#8211; 2.5.1<\/li>\n<li>NGINX Ingress Controller 3.5.0 &#8211; 3.7.2<\/li>\n<li>NGINX Ingress Controller 4.0.0 &#8211; 4.0.1<\/li>\n<li>NGINX Ingress Controller 5.0.0 &#8211; 5.4.1<\/li>\n<\/ul>\n<p>In its own advisory, depthfirst said the&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/18-year-old-nginx-rewrite-module-flaw.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE https:\/\/thehackernews.com\/2026\/05\/18-year-old-nginx-rewrite-module-flaw.html Publish Date: 2026-05-14 02:00:00 Source Domain:&#8230;<\/p>\n","protected":false},"author":1,"featured_media":245776,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhhCvxtNv7UYYMCITB2HLsBgkN83LdRXcw0wmP9gMAfXeNpmJoOJKNIaQb55b-GLDeQHx-dUBkASGDYgstnvYAE5eFuwyzMSxY804fn56OaTsGlESOab9y-kFHJ-iV5iUlWrc5j27WLduUDhW6nRSjkv5tFMKZjDbbmDdk7_NMZ3y7sipHKy7t4XuMQ9YfG\/s1600\/nn.gif","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,27],"class_list":["post-245774","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245774"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=245774"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245774\/revisions"}],"predecessor-version":[{"id":245777,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/245774\/revisions\/245777"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/245776"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=245774"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=245774"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=245774"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}