A critical security issue, dubbed NGINX Rift and identified as CVE-2026-42945, has been disclosed. This vulnerability affects both NGINX Open Source and NGINX Plus. We are publishing this post to provide immediate guidance and confirm the rapid release of patched images for all affected Bitnami customers.
Understanding the Critical Flaw: NGINX Rift (CVE-2026-42945)
The NGINX Rift vulnerability is a critical heap-based buffer overflow flaw discovered within the ngx_http_rewrite_module. This memory corruption issue has existed for 18 years and affects NGINX Open Source versions 0.6.27 through 1.30.0, as well as NGINX Plus R32 through R36.
The flaw can be exploited by an unauthenticated remote attacker sending crafted HTTP requests when a specific configuration pattern is in use: a rewrite directive that uses an unnamed regex capture and a replacement string containing a question mark. Successful exploitation can lead to Remote Code Execution (RCE) in the NGINX worker process or cause the worker to enter a crash loop, which degrades service availability. F5 coordinated the patch release on May 13, 2026, and as of now, there is no known exploitation in the wild. You can find more info at https://depthfirst.com/nginx-rift
Bitnami's Immediate Response
In line with our commitment to rapid CVE remediation, the Bitnami team has already released all affected containers and Helm charts within hours as a quick response for customers.
Action Required: Immediate Remediation
We strongly urge all customers to update their NGINX-based deployments immediately.
-
Upgrade: Upgrade to the patched versions as soon as possible. Fixed versions include NGINX Open Source 1.31.0 or 1.30.1. Bitnami has already released the corresponding updated container images and Helm charts.
-
Mitigation (If an immediate upgrade is not feasible): If you are unable to upgrade immediately, you can mitigate the risk by reviewing your NGINX configuration and replacing any unnamed regex captures with named captures in your rewrite directives. You can find specific examples at https://depthfirst.com/nginx-rift
We remain committed to transparency and the rapid protection of our users. If you have any questions, please reach out to our support team.