CVE-2026-42945
Nginx Rift: Achieving Remote Code Execution via an 18-Year-Old Vulnerability
DESCRIPTION
CVE-2026-42945, also known as Nginx Rift, is a critical vulnerability affecting the widely used Nginx web server. The issue originates from legacy request processing behavior that has existed in Nginx for nearly 18 years.
Researchers demonstrated that under specific configurations, attackers can abuse inconsistencies in how Nginx handles internal redirects, URI normalization, and upstream processing to achieve Remote Code Execution (RCE).
The vulnerability primarily impacts deployments where Nginx is used as:
• a reverse proxy
• FastCGI gateway
• PHP-FPM frontend
• or authentication gateway
Because Nginx is heavily used in cloud environments, hosting providers, containers, and enterprise infrastructures, the attack surface is extremely broad.
TECHNICAL ROOT CAUSE
At a high level, Nginx Rift abuses flaws in:
• URI parsing
• internal redirect handling
• alias/root resolution
• request rewriting behavior
The vulnerability allows attackers to manipulate request flow in unexpected ways, potentially causing:
• unintended file resolution
• request smuggling between handlers
• FastCGI parameter confusion
• execution of attacker-controlled payloads
Researchers showed that carefully crafted requests could bypass expected routing logic and eventually trigger unsafe backend execution paths.
One of the key issues is that different Nginx processing stages interpret paths differently, creating a “rift” between:
• normalized paths
• rewritten paths
• upstream paths
• filesystem mappings
This mismatch can lead to dangerous security boundary violations.
AFFECTED SYSTEMS
Potentially affected systems include:
• Nginx reverse proxy deployments
• PHP-FPM environments
• containerized web infrastructures
• cloud load balancers using Nginx
• shared hosting platforms
• custom rewrite-heavy configurations
Risk increases significantly when:
• alias and rewrite directives are combined
• FastCGI is enabled
• complex internal redirects are used
• security assumptions rely solely on URI filtering
AFFECTED VERSIONS
• NGINX Open Source 0.6.27 through 1.30.0
• NGINX Plus R32 through R36.
• NGINX Instance Manager 2.16.0 through 2.21.1.
• F5 WAF for NGINX 5.9.0 through 5.12.1.
• NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0.
• F5 DoS for NGINX 4.8.0.
• NGINX App Protect DoS 4.3.0 through 4.7.0.
• NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1.
• NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1.
VULNERABILITY IMPACT
Successful exploitation may allow attackers to:
• bypass access restrictions
• execute arbitrary commands
• achieve Remote Code Execution (RCE)
• compromise backend application environments
Depending on deployment architecture, impact may include:
• full web server compromise
• container escape scenarios
• credential theft
• lateral movement within internal networks
RECOMMENDATIONS
Organizations using Nginx should:
• Update Nginx to the latest patched version immediately
• Review all rewrite, alias, and FastCGI configurations
• Avoid unsafe path normalization assumptions
• Restrict dangerous internal redirects
• Implement Web Application Firewall (WAF) protections where possible
• Audit reverse proxy rules for ambiguous URI handling
Security teams should also monitor for:
• suspicious encoded URI requests
• abnormal rewrite behavior
• unexpected upstream routing activity