NGINX Rift: AI Exposes 18-Year-Old Bug in 19M Servers

Alex Reeve May 14, 2026

3 min read

A critical security flaw discovered by an autonomous AI system threatens millions of web servers today as platform engineers race to patch an 18-year-old vulnerability in NGINX. The flaw, nicknamed “NGINX Rift,” allows for unauthenticated remote code execution or persistent denial-of-service attacks across infrastructure powering everything from simple websites to high-stakes AI backends.

Depthfirst’s autonomous AI auditing system discovers NGINX Rift, a critical eighteen-year-old vulnerability affecting millions of global web servers.
The CVE-2026-42945 flaw carries a CVSS score of 9.2 and exposes nineteen million internet-facing instances to remote code execution.
F5 issues urgent security updates for NGINX Plus as engineers race to patch legacy infrastructure used by enterprise artificial intelligence backends.

Listen to this article

READY

The security researchers at Depthfirst disclosed the vulnerability May 13, 2026, after their autonomous auditing system scanned the open-source web server’s codebase. The AI identified multiple memory corruption issues in six hours of analysis, flagging a critical heap buffer overflow tracked as CVE-2026-42945. The bug resided in the ngx_http_rewrite_module and triggered when a rewrite directive using an unnamed PCRE capture, such as $1, appeared with a question mark in the replacement string and was followed by another rewrite, if, or set directive.

F5, the maintainer of NGINX, confirmed the vulnerability in an official advisory and assigned it a CVSS score of 9.2. The flaw dated back to version 0.6.27, released in 2008, and affected every open-source release through 1.30.0. Impacted commercial versions included NGINX Plus releases R32 through R36. F5 stated that on hosts where Address Space Layout Randomization (ASLR) was disabled, the overflow delivered full unauthenticated remote code execution (RCE). On systems with ASLR enabled, attackers possessed the capability to crash worker processes in a continuous loop, creating a reliable path for denial-of-service attacks.

Depthfirst published a technical breakdown and a working proof-of-concept (PoC) exploit on GitHub within hours of the public disclosure. The PoC demonstrated how the mismatch between NGINX’s buffer size calculation and its subsequent copying of escaped data created the overflow condition. The rapid release of a functional exploit caught the industry flat-footed. Real-time internet scans showed roughly 19 million internet-facing NGINX instances running vulnerable version banners. The United States hosted the highest concentration with more than 5.3 million exposed servers, followed by China at 2.54 million and Germany at 1.87 million.

The NGINX project responded by shipping fixes in stable release 1.30.1 and mainline 1.31.0. NGINX Plus users received updates via R36 P4 and specific backports. For operators unable to patch immediately, F5 recommended a configuration workaround: replace every unnamed capture ($1, $2) with a named one (?<name>) inside affected rewrite rules. Security analysts noted that while the total exposure count was massive, the actual trigger required a specific configuration pattern that generic scanners could not immediately detect.

Advertisement · Press Release

Genuine News Deserves Honest Attention.

High-conviction projects require an intelligent audience. Connect with readers who value sharp reporting.

👉 Submit Your PR

The discovery carried significant weight in the cybersecurity community because it originated from an autonomous AI system rather than human manual review. Depthfirst reported that its tool surfaced four separate remote memory issues, including the “Rift” flaw that sat latent since the rewrite engine’s early development. The speed of the discovery collapsed the typical timeline between code review and public exploitation, highlighting a new reality for teams managing legacy plumbing. Platform engineers who previously viewed NGINX as “set-it-and-forget-it” infrastructure began auditing rewrite rules globally to close the 18-year-old security gap.

Chain Street’s Take

The NGINX Rift discovery proves that “security through obscurity” is officially dead in the age of autonomous AI auditing. An 18-year-old bug sat in one of the most scrutinized codebases on earth until a machine found it in six hours, immediately putting 19 million servers at risk. For the crypto and AI sectors, where NGINX often serves as the primary ingress for high-value APIs and Kubernetes clusters, the “set-it-and-forget-it” mindset is now a liability. This event signals a shift where legacy infrastructure gets stress-tested at machine scale. Operators must prioritize automated patching cycles because the next ancient flaw is already being indexed by a rival AI scan.

1views

CHAIN STREET INTELLIGENCE

Activate Intelligence Layer

Institutional-grade structural analysis for this article.

FAQ

Frequently Asked Questions

What is NGINX Rift?

NGINX Rift is a critical heap buffer overflow vulnerability affecting the rewrite module of the NGINX web server. Depthfirst researchers discovered the flaw, tracked as CVE-2026-42945, which has remained latent in the codebase since 2008. It allows unauthenticated attackers to execute code or trigger denial-of-service states on vulnerable systems.

Why does this matter for the tech industry?

This vulnerability threatens the security of nineteen million servers powering global financial APIs and artificial intelligence backends. F5 assigned a CVSS score of 9.2, highlighting the severe risk to infrastructure that lacks modern memory protection. Failure to patch these legacy systems could lead to widespread data breaches or persistent service outages.

How will F5 execute the security patch?

F5 released NGINX stable version 1.30.1 and mainline version 1.31.0 on May 13 to resolve the overflow bug. Commercial users must update to NGINX Plus R36 P4 to secure their environments against the Rift exploit. Operators who cannot patch immediately should implement configuration workarounds by using named captures in all rewrite rules.

What are the risks of the NGINX Rift exploit?

The rapid release of a working proof-of-concept exploit on GitHub left millions of administrators vulnerable to immediate automated scans. Critics argue that relying on NGINX as static infrastructure creates a dangerous security gap that autonomous AI tools now easily exploit. The disparity between machine-speed discovery and manual patching cycles remains a primary structural risk.

How should organizations prepare for future AI-driven vulnerability scans?

Organizations should implement automated patching workflows to counter the speed of machine-led exploit discovery across NGINX environments. Depthfirst reports that its autonomous tool identifies memory corruption issues within hours of starting a codebase scan. Continuous security auditing will become a technical necessity as attackers adopt similar large language models for infrastructure probing.