A vulnerability identified as CVE-2026-42945 has been reported in the NGINX ngx_http_rewrite_module.
This issue affects specific NGINX configurations that use rewrite directives with unnamed PCRE captures such as $1 or $2, where the replacement string includes a question mark ?. Under certain conditions, an unauthenticated attacker may be able to send crafted HTTP requests that cause an NGINX worker process to crash. On systems where Address Space Layout Randomization (ASLR) is disabled, code execution may also be possible.
According to the official NGINX advisory, NGINX Open Source versions 0.6.27 through 1.30.0 are affected. Versions 1.30.1 and later and 1.31.0 and later are listed as not vulnerable.
| Product | Branch | Vulnerable Version | Patched / Fixed Version | Severity | Vulnerable Component |
| NGINX Plus | 37.x | None | 37.0.0 | High 8.1 / Critical 9.2 | ngx_http_rewrite_module |
| NGINX Plus | R32 – R36 | R32 to R36 | R32 P6 / R36 P4 | High 8.1 / Critical 9.2 | ngx_http_rewrite_module |
| NGINX Open Source | 1.x | 1.0.0 to 1.30.0 | 1.30.1 / 1.31.0 | High 8.1 / Critical 9.2 | ngx_http_rewrite_module |
Recommended Action
EuroVPS strongly recommends that all customers running NGINX verify their installed version and review their NGINX rewrite rules.
Check the installed NGINX version:
nginx -vCheck for rewrite rules using unnamed captures:
nginx -T 2>/dev/null | grep -nE 'rewrite[[:space:]].*\$[0-9]'Update to a Patched NGINX Version
The permanent fix for CVE-2026-42945 is to update NGINX to a patched, vendor-supported version.
If your server is running an affected NGINX version, update it to the latest patched NGINX release using the official packages provided by your operating system vendor, control panel vendor, or NGINX/F5.
Temporary Mitigation
If an immediate update is not possible, review any affected rewrite directives and replace unnamed captures such as $1 and $2 with named captures where applicable.
Example of a rewrite rule using an unnamed capture:
rewrite ^/user/([0-9]+)$ /profile.php?id=$1? last;Example using a named capture:
rewrite ^/user/(?<userid>[0-9]+)$ /profile.php?id=$userid? last;After making configuration changes, always validate and reload NGINX:
nginx -t
systemctl reload nginxTemporary configuration changes should not be treated as a replacement for patching. The recommended long-term fix is to update NGINX to a vendor-supported, non-vulnerable version.
Plesk Servers
Plesk has confirmed that Plesk for Linux ships NGINX as part of its core installation and may be affected by CVE-2026-42945, depending on the installed NGINX version and rewrite rule configuration. The issue applies when rewrite rules reference unnamed regex captures such as $1, $2, and similar patterns.
Plesk states that NGINX versions below 1.31.1 mainline or 1.30.1 stable are vulnerable if affected rewrite rules are present. Plesk also notes that an updated NGINX package is expected through the official Plesk update channel.
For Plesk-managed servers, customers should apply the official Plesk update once available. EuroVPS does not recommend replacing the Plesk-provided NGINX package with unsupported third-party builds, as this may affect Plesk integration and future updates.
| Product | Branch | Vulnerable Version | Patched / Fixed Version | Severity | Vulnerable Component |
| Plesk for Linux NGINX | Plesk-provided NGINX | Below 1.31.1 mainline or below 1.30.1 stable, if affected rewrite rules are present | Official Plesk NGINX update package | High 8.1 / Critical 9.2 | ngx_http_rewrite_module |
EuroVPS Recommendation
EuroVPS advises customers to keep all internet-facing software fully updated and to avoid running unsupported or end-of-life operating systems and application stacks.
Customers using NGINX should:
- Confirm the installed NGINX version.
- Review rewrite rules using
$1,$2, or similar unnamed captures. - Apply vendor-provided NGINX updates as soon as available.
- Restart or reload NGINX after patching.
- Ensure ASLR is enabled on the server.
Need Assistance?
If your server is managed by EuroVPS and you need help reviewing or patching NGINX, please open a support ticket from the EuroVPS Client Area.
Our team can assist with checking the installed NGINX version, reviewing rewrite rules, applying available updates, and validating the service after patching.
References
Plesk Advisory: CVE-2026-42945 in NGINX