External risk intelligence

NGINX could allow external attackers to disrupt service or execute arbitrary code.

NGINX Plus and NGINX Open Source could allow external attackers to disrupt service or execute code by sending specific web requests. This potentially impacts the availability and integrity of our web infrastructure.

NVD published May 13, 2026 (2 days ago)

External risk briefCRITICAL

CVE-2026-42945

Halo Surface Signal

5/ 5

NGINX is a ubiquitous web server and reverse proxy explicitly designed to face the public internet to process HTTP traffic. Because its primary deployment pattern involves positioning it at the network edge to handle incoming external requests, it is inherently public-facing by design.

Exposure facts

CVSS

9.2

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

EPSS

0.17%

H – Horizon Alert

A security vulnerability has been identified in NGINX Plus and NGINX Open Source related to how the software handles specific web request configurations. An unauthorized individual could potentially trigger a service disruption, causing the application to restart unexpectedly. In certain system environments, this flaw also presents a risk of unauthorized code execution, which could impact the overall integrity and availability of our web infrastructure.

A – Asset Exposure

This vulnerability impacts NGINX Plus and NGINX Open Source deployments, which are frequently configured as internet-facing web servers or proxies. Because these systems process incoming web traffic, external attackers could trigger a worker process crash, potentially leading to a disruption of service availability. Additionally, in specific system configurations, this issue could result in unauthorized system access.

L – Live Threat

The provided context does not indicate active exploitation or observed targeting of this vulnerability. While it is possible for an unauthorized actor to trigger a process restart—or potentially achieve code execution in environments lacking specific memory protections—there is no evidence of public exploit availability at this time. Accordingly, there are currently no live-threat signals associated with this issue.

O – Operational Fix

Please direct your IT and security teams to review the official vendor guidance for NGINX to determine if your specific configurations are susceptible to this processing issue. Teams should verify if your current deployments utilize the impacted rewrite module, as this is a necessary step to identify if software updates or configuration changes are required. You can find specific remediation instructions for your environment via the provided vendor support documentation.