Date: 2026-05-14
Updated: 2026-05-21
HIGH risk vulnerability concerning “nginx” module “ngx_http_rewrite_module”
used by many webservices. It is extensively described at [R 1] [R 2].
EGI SVG ID : EGI-SVG-2026-16
CVE ID : CVE-2026-42945
CVSSv3 Score:
Sites are strongly recommended to patch their nginx instances
as soon as possible. At the time of writing, patches are only
available for very few distributions. AlmaLinux has patches.
Please consult the references listed below for your distribution(s).
For mitigation options, see [R 1] under:
"Temporary mitigation: rewrite your rewrites"
Compared to the CVSS critical risk assessment detailed in [R 2],
EGI SVG judges the risk to be high, because of the complexity of
pulling off an actual exploit instead of a DoS (see [R 1]).
However, if an actual exploit gets published, the risk will become critical.
Therefore, please patch your instances as soon as possible!
TLP:CLEAR information - Unlimited distribution
https://advisories.egi.eu/Advisory-EGI-SVG-2026-16
https://advisories.egi.eu/Advisory-SVG-42945
Minor updates may be made without re-distribution to the sites.
This advisory is subject to the Creative Commons licence
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group
must be credited. -----------------------------
Comments or questions should be sent to
svg-rat at mailman.egi.eu
Vulnerabilities relevant for EGI can be reported at
report-vulnerability at egi.eu
(see [R 99] for further details, and other information on SVG)
[R 7] https://errata.almalinux.org/ (AlmaLinux - see [R 1])
SVG was alerted to this vulnerability by the EGI CSIRT