NGINX Rewrite Module Flaw Allows Unauthenticated Remote Code Execution (CVE-2026-42945)

May 14, 2026 at 11:59 PM

•

1 min read

NGINX Rewrite Module Flaw Allows Unauthenticated Remote Code Execution (CVE-2026-42945) — Photo: The Hacker News

TL;DR Summary

Security researchers disclosed a critical, unauthenticated heap-buffer-overflow in NGINX's ngx_http_rewrite_module (CVE-2026-42945) that can enable remote code execution or DoS by sending a crafted URI; the flaw, which remained undetected for 18 years, affects NGINX Plus and Open Source and is more dangerous on systems with ASLR disabled. Patches are available across multiple products (NGINX Plus R32–R36, Open Source 1.30.1–1.31.0, among others), along with fixes for CVE-2026-42946, CVE-2026-40701, and CVE-2026-42934. Administrators should upgrade to the latest versions or, if patching isn’t feasible, modify rewrite directives to use named captures to mitigate exposure.

Topics:technology #cve-2026-42945 #heap-buffer-overflow #nginx #remote-code-execution #security

Share this article

18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE The Hacker News
Critical 18-Year-Old NGINX Vulnerability Enables Remote Code Execution Attacks CyberSecurityNews
AI agent finds 18-year-old remote code execution flaw in Nginx csoonline.com
NGINX is critically vulnerable: hackers can crash servers and run remote code with no authentication Cybernews
18-year-old NGINX vulnerability allows DoS, potential RCE BleepingComputer

Reading Insights

Total Reads

Unique Readers

Time Saved

3 min

vs 4 min read

Condensed

86%

668 → 91 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights