News Own Your Online External Link Report it
News Own Your Online External Link
  1. Welcome to the National Cyber Security Centre
  2. Alerts
  3. CVE-2026-42945 affecting NGINX

CVE-2026-42945 affecting NGINX

This section contains time sensitive announcements about specific cyber threats, vulnerabilities and scams. Each alert has information you need to be aware of, and what actions to take to mitigate any risk to you or your organisation.

Subscribe to our updates to be notified as soon as we publish an alert.

4:00PM, 15 May 2026

TLP Rating: Clear

CVE-2026-42945 affecting NGINX

CVE-2026-42945 is a vulnerability in the ngx_http_rewrite_module of NGINX. It can lead to denial of service and, under certain conditions, remote code execution.

What's happening

Systems affected

CVE-2026-42945 affects the following NGINX versions:

  • NGINX Open Source versions 0.6.27 through 1.30.0.
  • NGINX Plus R32 through R36.
  • NGINX Instance Manager 2.16.0 through 2.21.1.
  • F5 WAF for NGINX 5.9.0 through 5.12.1.
  • NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0.
  • F5 DoS for NGINX 4.8.0.
  • NGINX App Protect DoS 4.3.0 through 4.7.0.
  • NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1.
  • NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1.

What to do

Prevention

Update to the latest patch.

More information

Read more about this alert on the vendor website:

NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 External Link
External Link

If you require more information or further support, submit a report on our website:

Report an incident External Link