Security Advisory — Critical NGINX Vulnerability (CVE-2026-42945)
Dear Customer,
We would like to inform you about a recently disclosed critical vulnerability affecting the NGINX web server software used by many Linux servers and reverse proxy environments.
Vulnerability Details
-
CVE: CVE-2026-42945
-
Severity: Critical (CVSS 9.2)
-
Affected Software: NGINX Open Source and NGINX Plus
-
Impact: Remote attackers may be able to cause worker crashes, denial of service conditions, and potentially remote code execution under certain configurations.
The vulnerability affects the ngx_http_rewrite_module and is related to specially crafted rewrite rules using regex captures such as $1, $2, combined with rewrite operations containing ? characters.
Affected Versions
The vulnerability affects many historical versions of NGINX, including:
-
NGINX Open Source versions prior to:
-
1.30.1
-
1.31.0
-
Recommended Actions
We strongly recommend that all customers using NGINX:
-
Update NGINX to a patched version immediately.
-
Review custom
rewriterules and reverse proxy configurations. -
Avoid unsafe rewrite patterns using:
-
$1,$2, etc. -
rewrite targets containing
?
-
-
Verify that your operating system and packages are fully updated.
Important Notice for Unmanaged Services
Please note that unmanaged VPS, Dedicated Servers, and Cloud Servers are the responsibility of the customer, including operating system updates, security patching, and software maintenance.
Our team strongly recommends taking immediate action to mitigate exposure.
Additional Information
Official NVD Reference:
NGINX Security Information:
If you require a managed upgrade or assistance reviewing your NGINX configuration, please contact our support department.
Best Regards,
Cyber Cast International, S.A.
CCIHosting.com
Thursday, May 14, 2026
