NGINX rewrite-module CVE-2026-42945: what should teams patch first?

TL;DR: CVE-2026-42945 affects NGINX Open Source and NGINX Plus, where crafted HTTP requests can trigger a heap buffer overflow that causes denial of service and, in some environments, remote code execution, according to Orca Security. The real lesson is that internet-facing ingress paths turn parser bugs into infrastructure-wide blast radius, so patch timing and exposure context now matter more than CVSS alone.

NHIMG editorial — based on content published by Orca Security: CVE-2026-42945 analysis for NGINX Open Source and NGINX Plus

By the numbers:

• CVE-2026-42945 has a CVSS score of 9.2 and affects NGINX Open Source versions 1.0.0 through 1.30.0, plus NGINX Plus R32 through R36.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: What breaks when CVE-2026-42945 is not patched in NGINX ingress paths?

A: The most immediate failure is repeated worker crashes that produce denial of service, but the deeper issue is that the edge tier stops reliably mediating traffic for downstream services.

Q: Why do vulnerable NGINX rewrite rules matter so much in internet-facing environments?

A: They matter because NGINX is often the first enforcement point for APIs, ingress, and service traffic, so a parsing flaw there can affect a large portion of the environment at once.

Q: How do security teams know whether an NGINX deployment is exposed to this issue?

A: Check for affected versions and inspect configuration for rewrite, if, and set directives that use unnamed captures.

Practitioner guidance

• Patch vulnerable NGINX versions immediately Move to NGINX Open Source 1.30.1 or 1.31.0, or NGINX Plus R32 P6 or R36 P4, and prioritise internet-facing nodes first.
• Find rewrite directives that use unnamed captures Search configuration for rewrite, if, and set directives that rely on unnamed regex captures such as $1 or $2, because those are the conditions the flaw exploits.
• Track worker crash indicators as exploit signals Look for repeated worker PID cycling, SIGABRT terminations, and heap corruption messages in NGINX logs, especially on nodes exposed to the public internet.

What's in the full article

Orca Security's full report covers the operational detail this post intentionally leaves for the source:

• Reproduction details for the heap overflow and the exact request pattern used in the proof of concept
• Version-by-version affected-product scope across NGINX Open Source, NGINX Plus, and dependent gateway and WAF products
• Examples of the server-side log signals that indicate crash cycling and heap corruption during exploitation
• Exposure-prioritisation guidance for assets that are internet-facing, runtime-reachable, or critical to ingress availability

👉 Read Orca Security's analysis of CVE-2026-42945 in NGINX rewrite handling →

NGINX rewrite-module CVE-2026-42945: what should teams patch first?

Explore further

View Full Forum →  |  NHI Foundation Course →