ISO Security Notice: NGINX Rift

May 15, 2026

To the UCB-Security community, 

This is a notice from the Information Security Office to alert you to a critical vulnerability that impacts NGINX Plus and NGINX Open. Please share this alert internally with IT admins and service owners who run the product so they are aware and know what actions to take to address this vulnerability.

SUMMARY

ISO is aware of a critical vulnerability, codenamed NGINX Rift, that affects NGINX Plus and NGINX Open’s ngx_http_rewrite_module module, which is part of every standard NGINX build. This vulnerability exists when the rewrite directive is followed by a rewrite, if, or set directive and an unnamed Perl-Compatible Regular Expression (PCRE) capture (for example, $1, $2) with a replacement string that includes a question mark (?). 

IMPACT

This vulnerability may allow remote attackers to cause a denial-of-service (DoS) on the NGINX system or to possibly trigger code execution for systems with Address Space Layout Randomization (ASLR ) disabled. There is no control plane exposure; this is a data plane issue only.

WHAT IS VULNERABLE

  • NGINX Open Source versions 0.6.27 through 1.30.0.

  • NGINX Plus R32 through R36.

  • NGINX Instance Manager 2.16.0 through 2.21.1.

  • F5 WAF for NGINX 5.9.0 through 5.12.1.

  • NGINX App Protect WAF 4.9.0 through 4.16.0 and 5.1.0 through 5.8.0.

  • F5 DoS for NGINX 4.8.0.

  • NGINX App Protect DoS 4.3.0 through 4.7.0.

  • NGINX Gateway Fabric 1.3.0 through 1.6.2 and 2.0.0 through 2.5.1.

  • NGINX Ingress Controller 3.5.0 through 3.7.2, 4.0.0 through 4.0.1, and 5.0.0 through 5.4.1.

RECOMMENDATIONS

Apply patches to the following versions:

  • NGINX Plus R32 - R36 (Fixes introduced in R32 P6 and R36 P4)

  • NGINX Open Source 1.0.0 - 1.30.0 (Fixes introduced in 1.30.1 and 1.31.0)

  • NGINX Open Source 0.6.27 - 0.9.7 (No fixes planned)

  • NGINX Instance Manager 2.16.0 - 2.21.1

  • F5 WAF for NGINX 5.9.0 - 5.12.1

  • NGINX App Protect WAF 4.9.0 - 4.16.0

  • NGINX App Protect WAF 5.1.0 - 5.8.0

  • F5 DoS for NGINX 4.8.0

  • NGINX App Protect DoS 4.3.0 - 4.7.0

  • NGINX Gateway Fabric 1.3.0 - 1.6.2

  • NGINX Gateway Fabric 2.0.0 - 2.5.1

  • NGINX Ingress Controller 3.5.0 - 3.7.2

  • NGINX Ingress Controller 4.0.0 - 4.0.1

  • NGINX Ingress Controller 5.0.0 - 5.4.1

MITIGATION

If you are unable to follow the above recommendations immediately, you can mitigate the issue by changing the rewrite configuration by replacing unnamed captures with named captures in every affected rewrite directive.

REFERENCES

  1. https://my.f5.com/manage/s/article/K000161019

  2. https://thehackernews.com/2026/05/18-year-old-nginx-rewrite-module-flaw.html

  3. https://depthfirst.com/nginx-rift

If you have any questions about the vulnerability or would like some assistance patching or mitigating it, please contact security@berkeley.edu.