18-Year-Old NGINX Rewrite Module Flaw Enables Unauthenticated RCE

Researchers have disclosed a critical heap buffer overflow vulnerability in NGINX's rewrite module that persisted undetected for 18 years. The flaw, CVE-2026-42945, carries a CVSS v4 score of 9.2 and affects both NGINX Plus and NGINX Open source versions. Security researcher depthfirst identified the issue in ngx_http_rewrite_module, which processes URL rewriting rules that many web servers rely on for traffic routing and content delivery.

The vulnerability enables unauthenticated remote code execution against affected systems. An attacker requires no credentials to exploit the flaw. Once triggered, the heap buffer overflow allows arbitrary code execution with the privileges of the NGINX process, typically root or a dedicated service account. This grants attackers complete control over the web server and any applications it hosts.

The 18-year window before discovery reflects a broader reality in open source infrastructure security. The rewrite module ships with both NGINX's commercial and community editions, meaning both enterprise and smaller deployments face exposure. Organizations running NGINX versions vulnerable to CVE-2026-42945 should treat this as a critical priority.

Web servers represent high-value targets because they sit at network perimeters and handle untrusted input directly. Compromising NGINX grants attackers persistent access to downstream applications, databases, and internal networks. The lack of authentication requirements removes a standard defensive layer.

Patches addressing this vulnerability should be available through NGINX's official channels. Affected organizations need to identify which NGINX versions they operate, verify whether their deployments use the rewrite module, and apply updates immediately. Organizations unable to patch immediately should implement Web Application Firewalls with rules blocking malformed rewrite requests or restrict NGINX access to trusted networks.

This discovery underscores why continuous security auditing of foundational infrastructure components matters. NGINX processes