Friday, May 15, 2026

The Useful Daily

AI news that actually helps your business

Home📰 Security
If Your Website Runs on Nginx, Patch It Today. A New Exploit Gives Attackers Full Control.

If Your Website Runs on Nginx, Patch It Today. A New Exploit Gives Attackers Full Control.

By Danny Kowalski · May 15, 2026 · 4 min read

A security firm called DepthFirst disclosed a working exploit this week that can take over virtually any web server running Nginx - a piece of software that powers roughly a third of all websites on the internet.

The bug is called Nginx-Rift. It's been assigned CVE-2026-42945. If you run a website - especially one hosted on a VPS, a cloud VM, or a server you manage yourself - and it uses Nginx, you need to act today.

What the Bug Actually Does

Nginx has a feature that lets you rewrite URLs and set custom variables. The bug is in how Nginx calculates how much memory to set aside before processing a rewrite rule. In short: the calculation step and the actual copy step don't agree on how much space is needed. An attacker can send a carefully crafted request to your server that overflows the buffer and plants code.

The technical name for this is a heap buffer overflow. The practical name is: an attacker sends your server a URL and gets a shell. Without logging in. Without credentials. From anywhere on the internet.

The vulnerability was introduced in 2008 and has been present in every version of Nginx since 0.6.27. That's 18 years of exposure.

A proof-of-concept exploit is now public on GitHub. That means the window before automated attacks start scanning for vulnerable servers is measured in hours to days, not weeks.

What's Affected

  • Nginx Open Source: versions 0.6.27 through 1.30.0
  • Nginx Plus: versions R32 through R36

What's Fixed

  • Nginx Open Source: 1.31.0 and 1.30.1
  • Nginx Plus: R36 P4, R35 P2, R32 P6

The vendor published a full advisory at F5's support portal.

Who Is Actually at Risk

Not every Nginx install is vulnerable. The exploit requires your Nginx config to use both the rewrite directive and the set directive together in the same configuration block. This is not universal, but it's common enough - especially in WordPress sites, WooCommerce stores, Laravel apps, and PHP-based sites that use clean URL rewrites.

If you set up your own server, there's a reasonable chance you have this configuration. If you're using managed WordPress hosting (WP Engine, Kinsta, Flywheel) or a platform like Render, Railway, or Heroku, your host needs to patch their infrastructure - and the good ones will be doing it now.

If you're on shared hosting through Bluehost, SiteGround, or similar - you're typically not running your own Nginx config, and your host handles patching.

What to Do Right Now

If you manage your own server:

  1. Check your Nginx version: nginx -v
  2. If it's below 1.31.0, update immediately
  3. On Ubuntu/Debian: sudo apt update && sudo apt upgrade nginx
  4. On CentOS/RHEL: sudo yum update nginx
  5. Restart Nginx after updating: sudo systemctl restart nginx

If you use a managed host:

Check your provider's status page or support channel. Ask them directly: "Have you patched CVE-2026-42945?" If they can't answer, escalate or consider temporarily taking down non-essential externally-facing services until they can.

If you're not sure what you're running:

Log in to wherever your website is hosted. Look for a control panel. If it says "cPanel," "Plesk," or "DirectAdmin," ask your host. If you have SSH access, run nginx -v or which nginx.

Why This One Is Different

Security researchers are blunt: the existence of a public proof-of-concept changes the threat level significantly. Anyone with basic Linux skills can now run this exploit. There is no "only sophisticated attackers" buffer here.

DepthFirst, the firm that found the bug, built a security analysis system that discovered this vulnerability automatically by scanning Nginx's source code. That same capability - minus the responsible disclosure part - is available to anyone building automated scanning tools. Expect mass exploitation attempts within days.

The Bottom Line

This is not a "nice to patch eventually" situation. It is patch-it-today-before-lunch situation.

If your site goes down because of a vulnerability that had a freely available fix and you didn't apply it, that's a hard conversation with your customers - and potentially with your cyber insurance provider.

Check your version. Run the update. Restart the server. That's it.

Sources: DepthFirst Security Advisory, GitHub; F5/Nginx Vendor Advisory K000160932, May 2026.

Danny Kowalski tests AI tools for The Useful Daily. He ran an HVAC business for 9 years, so he knows BS when he sees it.

Are you overpaying for AI tools?

Most small businesses waste $150+/month on tools they don't need. Find out in 2 minutes.

Take the Free AI Audit →

Liked this? There's more where that came from.

Every Sunday we send the week's best AI tips for your business. Free. No spam. Ever.

← Back to all stories