K000161019: NGINX CVE-2026-42945
Published on May 14, 2026
K000161019: NGINX ngx_http_rewrite_module vulnerability CVE-2026-42945 needs immediate review anywhere rewrite rules are doing request handling in front of applications, APIs, or login flows. If your stack depends on complex `rewrite`, `if`, `return`, or URI normalization behavior, this is the place to check first. The good news is that the issue is usually manageable with a clear audit, a temporary ruleset cleanup, and a controlled NGINX update.
For most operators, the practical question is not whether NGINX is present. It is whether `ngx_http_rewrite_module` is used in a way that lets crafted requests bypass intended routing or security logic. That distinction matters. A plain static site with minimal config is a very different risk profile from a multi-tenant app gateway with legacy rewrite chains and a few heroic regexes written at 2 a.m.
The official link: https://my.f5.com/manage/s/article/K000161019