Recent NGINX Vulnerabilities: What Customers Need to Know About NGINX Rift and Related Issues

Over the past week, the cybersecurity industry has been closely monitoring several newly disclosed NGINX vulnerabilities, most notably CVE-2026-42945, commonly referred to as “NGINX Rift.” Due to NGINX’s widespread deployment across websites, APIs, reverse proxies, cloud applications, and edge infrastructure globally, the vulnerability has quickly become a major point of concern for organizations operating Internet-facing services.

‍

Alongside NGINX Rift, another vulnerability, CVE-2026-27654, has also surfaced in recent advisories. While the two vulnerabilities affect different parts of NGINX functionality, both highlight the importance of reviewing exposed configurations and optional features within publicly accessible infrastructure.

Understanding NGINX Rift (CVE-2026-42945)

NGINX Rift primarily affects specific request rewriting behaviors within NGINX. Public advisories indicate that exploitation requires a particular combination of configuration conditions to exist simultaneously, including:

• The use of rewrite directives with unnamed regex captures such as $1 or $2
• Replacement strings containing the ? character
• Additional chained rewrite, if, or set directives immediately following the vulnerable rewrite rule

Under these conditions, specially crafted requests may trigger unsafe memory handling behavior within the NGINX rewrite processing engine, potentially resulting in denial-of-service conditions or, under certain environments, remote code execution.

‍

Importantly, simply running NGINX does not automatically make a deployment vulnerable. Exploitability depends heavily on whether the affected rewrite logic and configuration patterns are actually in use.

CVE-2026-27654: WebDAV and Alias-Based Exposure

A second recently disclosed issue, CVE-2026-27654, affects NGINX deployments using specific WebDAV-related functionality. Unlike NGINX Rift, this vulnerability requires a narrower set of deployment conditions, including:

• The ngx_http_dav_module module being enabled
• Usage of COPY or MOVE WebDAV methods
• Use of the alias directive within prefix-based location blocks

Under these conditions, malformed requests may trigger unsafe memory behavior during path processing operations.

‍

Organizations not using WebDAV functionality or alias-based configurations are generally not exposed to this particular vulnerability path.

Nexusguard Assessment

Following internal review and validation, Nexusguard has confirmed that the Nexusguard WAF engine deployment does not utilize the vulnerable NGINX configurations required for exploitation of either CVE-2026-42945 or CVE-2026-27654.

‍

Specifically:

• The Nexusguard WAF engine does not rely on the vulnerable NGINX rewrite directive patterns associated with NGINX Rift
• Unnamed regex rewrite captures ($1, $2) used in the disclosed exploit chain are not present within the WAF engine configuration
• The vulnerable chained rewrite conditions required to trigger CVE-2026-42945 do not exist
• The WAF engine does not utilize alias-based location blocks associated with CVE-2026-27654
• The affected WebDAV configuration patterns required for exploitation are not used within the deployment

As a result, the underlying conditions necessary for exploitation are not present within the Nexusguard WAF engine environment.

Virtual Patching Support for Customers

In addition to internal validation, Nexusguard engineers have prepared a virtual patch for deployment through the Nexusguard WAF platform to help protect customer environments that may be affected by NGINX Rift (CVE-2026-42945).

‍

The virtual patch is designed to help detect and block malicious request patterns associated with known exploit attempts targeting the vulnerability. This provides customers with an additional layer of protection while they review and remediate affected NGINX configurations within their own environments.

‍

Customers and partners who believe they may be affected, or who would like assistance assessing their exposure, are encouraged to reach out to their Nexusguard representative or Nexusguard Security Operations team for guidance and deployment support.

Recommended Actions for Customers and Partners

Nexusguard recommends that organizations:

• Review publicly exposed NGINX deployments
• Audit rewrite rule usage, especially unnamed captures ($1, $2)
• Review WebDAV and optional module exposure
• Remove unnecessary or legacy functionality where possible
• Apply vendor-recommended updates and hardening guidance
• Monitor for malformed HTTP requests and unusual scanning behavior

Organizations using Nexusguard-managed services may contact Nexusguard for additional operational guidance or assistance reviewing their current exposure posture.

Closing Thoughts

Recent NGINX vulnerabilities such as NGINX Rift demonstrate how modern infrastructure vulnerabilities increasingly depend on deployment configuration and exposed functionality, not simply software presence alone. Organizations should continue reviewing publicly exposed infrastructure carefully and ensure that unnecessary features, modules, and legacy configurations are removed wherever possible.

‍

Nexusguard continues to actively monitor ongoing developments surrounding these vulnerabilities and will provide additional guidance where necessary.

(Image: Gemini)