Critical Vulnerability in NGINX Found After 18 Years Shows AI’s Growing Impact

Using AI tools, a team of researchers has found a critical vulnerability that has been sitting in the popular NGINX web server for 18 years. While Claude Mythos and OpenAI’s GPT-5.5-Cyber have been making news as of late for their apparent lightning-speed ability to detect vulnerabilities in target systems, the researchers appear to have been able to dig this one out with existing commercially available tools.

The story throws yet more fuel on the fiery debate about the soon-to-arrive frontier AI models and what realistic cybersecurity expectations will have to be going forward. NGINX was thought to be fairly “clean” in the sense of having been scoured for potential exploits in the existing code, certainly in the codebase dating back to the 2000s. However, this flaw requires a specific and somewhat unusual setup to exploit even though it is considered a “critical vulnerability” due to its potential for damage (CVSS score of 9.2). Does this point to AI creating an even bigger continual patching headache, or is its utility going to be limited to sniffing out similarly obscure and niche issues?

AI and the expected critical vulnerability avalanche

Mythos and GPT-5.5-Cyber are currently not available to the general public, instead in a limited access program that allows government and organizations handling sensitive data (such as those in finance and health care) to test their defenses against them before they are made more broadly available. This has led to numerous stories of these models indexing dozens to hundreds of vulnerabilities within short periods of time, some of these having been present in code without being previously discovered for over 10 years.

This story is along those lines, though it uses a custom proprietary security tool rather than frontier models. Nevertheless, it highlights the fact that any older and seemingly stable codebase could be hiding a showstopping critical vulnerability that it just takes a quick application of AI to uncover.

In this case, NGINX has been available since 2004 and the critical vulnerability that was uncovered is thought to have been present since 2008. The open source web server is a very popular tool for load balancing and serving static content, with estimates putting almost a third of the world’s most popular websites down as users.

Critical vulnerability CVE-2026-42945 is a buffer overflow issue that can be triggered when a configuration uses both the “rewrite” and “set” directives, which is not uncommon for users, but does require more uncommon usage of rewrite patterns. It also requires a default security feature (Address Space Layout Randomization (ASLR) protection) to be disabled, though this is something that customers also sometimes do for performance purposes in certain scenarios.

NGINX attack includes possibility of remote code execution

The NGINX flaw gets a critical vulnerability score of 9.2 due to the possibility of remote code execution, though this is reportedly even more unlikely than simply weaponizing it as a denial-of-service attack. Under the right conditions an attacker could potentially send a request that compromises the victim without any prior access or authorization.

How likely it is that a reliable exploit of this sort will be developed is the main point under debate, and sort of a broader microcosm of the debate about how much frontier systems like Mythos will actually assist attackers in the nuts and bolts of break-ins. Nevertheless, security experts advise taking the CVSS score seriously and making it a high priority patching item. 2008’s version 0.6.27 to last month’s 1.30.0 are impacted; upgrade to 1.31.0 or the stable 1.30.1 to remove the critical vulnerability.