NGINX Rift (CVE-2026-42945): How to identify and fix vulnerable assets

What is NGINX Rift (CVE-2026-42945) and why is it critical?

CVE-2026-42945, also known as NGINX Rift, is a critical heap buffer overflow vulnerability in NGINX's ngx_http_rewrite_module, (, when using rewrite, if, or set directive with an unnamed expression (for example, $1, $2) to replace strings after a question mark (?). Rewrite is one of the most popular NGINX modules, and typically used for rewriting URLs at the HTTP server level (i.e. redirect users from HTTP to HTTPS, redirect domains, rewrite URIs). 

This vulnerability is considered high-risk (CVSS v4.0 score: 9.2) for several reasons:

• Unauthenticated RCE & DoS: An attacker does not need credentials or an established session. A single crafted HTTP request can overflow the heap, allowing the attacker to crash the worker process (creating a DoS loop) or execute arbitrary code if ASLR defenses are bypassed or disabled.

• Widespread impact: NGINX is the most popular web server globally. This bug affects almost all versions released over the last 18 years, including NGINX Open Source and NGINX Plus.

• Perimeter exposure: NGINX is inherently internet-facing. As a reverse proxy, load balancer, and web server, it sits at the edge of the network, making this vulnerability directly accessible to automated scanners and external threat actors.

• Attacker-controlled corruption: The data written out-of-bounds is pulled directly from the malicious URI, which elevates the reliability of exploiting this flaw for code execution compared to random heap corruption bugs.

Which systems are affected/not affected by NGINX Rift?

According to the F5 security advisory, the following systems are confirmed as vulnerable:

Systems affected: 

• NGINX Open Source versions 0.6.27 through 1.30.0.

• NGINX Plus R32 through R36.

• NGINX Instance Manager 2.16.0 through 2.21.1.

• F5 WAF for NGINX 5.9.0 through 5.12.1.

• NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0.

• F5 DoS for NGINX 4.8.0.

• NGINX App Protect DoS 4.3.0 through 4.7.0.

• NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1.

• NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1.

Systems not affected: F5 Distributed Cloud, F5 Silverline, NGINX One Console, BIG-IP, BIG-IQ, F5OS, Traffix SDC, and F5 AI Gateway are not affected. 

How to identify affected systems with Axonius

Before you begin, run a global discovery to ensure you’re working with the most current data from your environment.

Not an Axonius customer? See how our asset intelligence platform can help you surface vulnerable devices and close coverage gaps across your environment. Take the self-guided product tour →

1. Identify vulnerable instances detected by your vulnerability scanners

To find instances of NGINX Rift (CVE-2026-42945) already flagged by your active vulnerability scanners or CNAPP solutions, go to Assets > Exposures > Security Findings and search for the CVE:

2. Identify affected NGINX software NOT found by your scanners

Scanners often miss edge nodes or standalone proxies. Go to Assets > Application > Software, and search for devices where NGINX is installed, but the version falls within the vulnerable ranges (e.g., older than 1.30.1):

3. Identify internet-facing systems running NGINX

Because this bug is remotely exploitable over HTTP, public-facing proxies must be prioritized. Still in Assets > Application > Software, identify NGINX software running on devices that are publicly exposed to the internet (either directly or via other network routes):

4. Identify vulnerable NGINX ingress controllers

If you leverage Axonius adapters that retrieve containers (such as Kubernetes, Cilium, OpenShift, Docker Engine, and others), head over to Assets > Compute > Containers, and then search for signals of NGINX ingress controller:

How to remediate and mitigate NGINX Rift

1. Apply the official patch: Listed in the F5 advisory. As in the time of writing, F5 provided updates for NGINX Open Source (versions 1.30.1, 1.31.0, or later) and NGINX Plus (R32 P6, R36 P4, and 37.0.0). Update your Linux distribution packages (e.g., via apt or yum/dnf) as downstream maintainers release backported fixes.

2. Implement configuration mitigations: If you cannot immediately patch or restart services, you can mitigate the vulnerability by eliminating the trigger condition in your nginx.conf files. Modify your rewrite directives to use named captures instead of unnamed captures ($1, $2).

• Vulnerable: rewrite ^/foo/(.*)$ /bar?id=$1;

• Mitigated: rewrite ^/foo/(?<myid>.*)$ /bar?id=$myid;

3. Prioritize perimeter assets: Use Axonius to segment and patch internet-facing proxies, API gateways, and Kubernetes Ingress controllers first. Any unauthenticated entry point is at immediate risk of exploitation or DoS disruption.

Additional NGINX Rift resources and advisories

The following resources provide official patch details, exploit analysis, and threat advisories for NGINX Rift (CVE-2026-42945):

• F5 Security Advisory: K000161019

• NVD: CVE-2026-42945

• DepthFirst Technical Analysis

• Exploit Proof of Concept

NGINX Rift has been hiding in your perimeter for up to 18 years, and a working exploit is public. If you're using Axonius, the queries above surface every vulnerable NGINX instance across your environment, including the internet-facing proxies and ingress controllers your scanners can't reach. See how Axonius handles exposures →