Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: nginx (4 articles)Clear

Critical F5 NGINX flaws allow unauthenticated code execution and crashes

F5 has issued out-of-band patches for two critical flaws in NGINX, the web server and reverse proxy that runs a large share of the internet. CVE-2026-42530 (a use-after-free in the HTTP/3 module) and CVE-2026-42055 (a heap overflow in the HTTP/2 proxy and gRPC modules), both rated 9.2, let a remote, unauthenticated attacker corrupt memory in an NGINX worker, crashing it for a denial of service and, where address-space randomization is disabled or bypassed, potentially running code. They affect non-default configurations across NGINX Open Source, Plus, Gateway Fabric, and Instance Manager. F5 has not seen exploitation yet, but its products are frequent attacker targets.

Check
Inventory NGINX instances and versions across servers, ingress, and gateways, and check whether HTTP/3 (QUIC) or HTTP/2 proxy and gRPC upstreams are enabled, which is what exposes these flaws.
Affected
NGINX Open Source, NGINX Plus, Gateway Fabric, and Instance Manager in non-default configurations using HTTP/3 (CVE-2026-42530) or HTTP/2 proxying and gRPC (CVE-2026-42055); unauthenticated remote attackers can trigger the flaws.
Fix
Upgrade to the fixed releases (NGINX Open Source 1.31.2, Plus 37.0.2.1 or R36 P6, Gateway Fabric 2.6.4). If you cannot patch now, disable HTTP/3 or the affected proxy settings as F5 advises.

NGINX 'Rift' heap overflow CVE-2026-42945 now seeing exploitation attempts in VulnCheck honeypots

The 18-year-old heap overflow in NGINX's rewrite module, CVE-2026-42945, disclosed last week as part of the 'Rift' bug cluster, is now seeing real exploitation attempts. AI-native security firm VulnCheck says its honeypot networks have caught attackers probing the flaw, though the goal of the campaigns is not yet clear. The vulnerability lets an unauthenticated attacker crash NGINX worker processes by sending crafted HTTP requests. Turning that crash into remote code execution requires the target host to have Address Space Layout Randomization (ASLR) disabled, which is uncommon by default, but the worker-crash denial-of-service is exploitable on its own and rated urgent.

Check
Search NGINX error logs for unusual worker crashes since 2026-05-13. Identify servers running NGINX open source before 1.30.1/1.31.0 or NGINX Plus before R32 P6 / R36 P4.
Affected
NGINX open source 0.6.27 through 1.30.0; NGINX Plus R32 through R36. Exploitable for DoS by default; RCE requires ASLR disabled on the target host.
Fix
Upgrade open source NGINX to 1.30.1 (stable) or 1.31.0 (mainline), or NGINX Plus to R32 P6 / R36 P4. Confirm ASLR remains enabled (default on supported Linux distributions).

NGINX Rift: 18-year-old heap overflow in the rewrite module lets anyone on the internet crash or take over an NGINX server (CVE-2026-42945)

An AI-discovered bug hidden in NGINX since 2008 lets anyone on the internet crash NGINX worker processes or, with ASLR disabled, run code on the server using a single crafted HTTP request. The flaw, named NGINX Rift (CVE-2026-42945, CVSS 9.2), sits in the rewrite module that powers URL rewriting in almost every NGINX deployment. It triggers when a config uses a rewrite directive with unnamed regex captures and a question mark, followed by another rewrite, if, or set directive - a common pattern in API gateway setups. NGINX runs roughly a third of the websites on the public internet.

Check
Grep your NGINX configs for rewrite directives that combine unnamed captures ($1, $2) with question marks in the replacement, and inventory the NGINX version on every reverse proxy you operate.
Affected
NGINX Open Source 0.6.27 through 1.30.0; NGINX Plus R32 through R36; NGINX Instance Manager, App Protect WAF, Gateway Fabric, and Ingress Controller across multiple versions.
Fix
Upgrade NGINX Open Source to 1.31.0 or 1.30.1; NGINX Plus users to R36 P4 or R32 P6. If patching is delayed, swap unnamed captures for named captures ((?<name>...)) in every affected rewrite directive.

Nginx UI authentication bypass actively exploited - one unauthenticated request gives attackers full server takeover via MCP endpoint (CVE-2026-33032)

A CVSS 9.8 authentication bypass in nginx-ui, the popular open-source web management interface for Nginx servers, is being actively exploited in the wild. The flaw, codenamed MCPwn by Pluto Security, exists because the /mcp_message endpoint added for Model Context Protocol (AI integration) support only checks IP whitelisting - and the default whitelist is empty, meaning it allows all connections. One unauthenticated HTTP POST request lets an attacker invoke all MCP tools: rewrite Nginx config files, reload the server, intercept all traffic, and harvest admin credentials. Attackers chain it with CVE-2026-27944 (exposed encryption keys via the backup API) to extract the node_secret needed for full MCP access. Recorded Future flagged active exploitation and assigned a risk score of 94/100. Shodan shows 2,600 publicly exposed instances, mostly in China, the US, Indonesia, and Germany. Pluto Security's key lesson: AI integration endpoints expose the same capabilities as the core application but often skip its security controls.

Check
Check if you or any managed clients run nginx-ui (web-based Nginx management dashboard). If MCP support is enabled, this is urgent - you're likely exposed.
Affected
nginx-ui versions 2.3.5 and earlier with MCP support enabled. The tool has 11,000+ GitHub stars and 430,000 Docker pulls. Any instance reachable from the network is exploitable without credentials.
Fix
Update nginx-ui to version 2.3.6 immediately (2.3.4 was the first fix, 2.3.6 is current). If you can't patch: restrict network access to the nginx-ui management interface to trusted IPs only. Add authentication middleware to the /mcp_message endpoint. As defense-in-depth, audit all MCP-integrated tools in your environment - this class of flaw (AI integration endpoints skipping auth) will appear in other products.