Critical Security Vulnerability Discovered in NGINX

Cybersecurity researchers have uncovered several vulnerabilities in NGINX Plus and NGINX Open, including a critical flaw that has remained undetected for 18 years. The vulnerability, discovered by depthfirst, affects the ngx_http_rewrite_module and is classified as CVE-2026-42945. The CVSS v4 score for this vulnerability is 9.2, indicating a high level of severity. The vulnerability is a heap buffer overflow that allows attackers to gain remote code execution (RCE). This could potentially lead to a complete compromise of the affected system.

The discovery of this vulnerability raises questions about the security of NGINX, which is widely used in many web server environments. NGINX is commonly employed for delivering web content and as a reverse proxy. Its extensive use makes the discovery of this vulnerability particularly concerning, as it affects a large number of servers. Experts recommend that systems be promptly reviewed and security updates applied as necessary. The vulnerability has been identified in version 1.23.0 of NGINX Plus and version 1.23.0 of NGINX Open.

Users of these versions are urged to take immediate action to protect their systems. A patch to address the vulnerability has already been released. The discovery of this vulnerability is significant not only for NGINX users but also highlights the overall security landscape in software development. Security researchers emphasize the need for regular security audits and updates to prevent similar issues in the future. The lengthy period during which this vulnerability remained undetected is alarming.

In addition to CVE-2026-42945, other vulnerabilities in NGINX have also been identified that could potentially be exploited. These include issues related to authentication and request processing. The exact number of affected systems is currently unknown; however, it is estimated that millions of servers worldwide could be impacted. The security community has already responded to the discovery, calling for increased collaboration between developers and security experts. Implementing security standards and practices could help reduce the number of undiscovered vulnerabilities in software.

The importance of security updates is becoming increasingly clear in this context. The discovery of this vulnerability could also affect the trustworthiness of NGINX as a platform. Companies relying on NGINX may need to reconsider and adjust their security strategies. User response to this security vulnerability will be crucial for the future use of NGINX. The vulnerability was made public on May 17, 2026, and NGINX developers have already taken steps to address the issues. Users are urged to update their systems immediately to protect against potential attacks.