QTA-10002 - NGINX Rift CVEs: Impact on Unique AI
3 min read
Advisory Status: MONITORING — As of 21 May 2026, Unique AI has assessed the NGINX Rift CVE cluster. No Unique AI deployment model is known to be impacted under default or standard configuration. This advisory will be updated as upstream Kong releases and NGINX guidance evolve.
1. Overview
On 20 May 2026, a cluster of critical and high-severity vulnerabilities in NGINX — collectively referred to publicly as NGINX Rift — was disclosed. The lead vulnerability, CVE-2026-42945, carries a CVSS score of 9.2 (Critical) and affects the ngx_http_rewrite_module. Additional CVEs cover the ngx_http_scgi_module, ngx_http_uwsgi_module, ngx_http_ssl_module, ngx_http_charset_module, ngx_http_proxy_v2_module, and ngx_quic_module.
Unique AI uses Kong Gateway as its API gateway layer. Kong Gateway is built on OpenResty, which in turn is based on NGINX. This advisory documents Unique AI's assessment of exposure across all supported deployment models.
2. Source References
Kong Gateway Open Source — Official NGINX Rift Security Advisory (GitHub Discussion #14867)
Kong Community Issue #14866 — CVE-2026-42945 and Kong OSS security patch timeline
3. CVE Details and Kong Gateway Impact Assessment
The following table is derived from the official Kong Gateway Open Source security advisory published on 20 May 2026. Unique AI endorses and references this assessment as the authoritative upstream position.
CVE | NGINX Module | CVSS | Kong OSS Impacted | Rationale |
|---|---|---|---|---|
CVE-2026-42945 |
| 9.2 Critical | No | Kong does not use the |
CVE-2026-42946 |
| High | No | Kong does not use these modules by default. Vulnerable only via custom NGINX template or injected directives. |
CVE-2026-40701 |
| High | No | Kong does not rely on NGINX built-in OCSP verification in its default configuration. Vulnerable only via custom directive injection. |
CVE-2026-42934 |
| High | No | Kong does not configure the vulnerable directive combination by default. Vulnerable only via custom NGINX template or injected directives. |
CVE-2026-42926 |
| High | No | The |
CVE-2026-40460 |
| High | No | Kong does not enable HTTP/3 or QUIC in its default configuration. Vulnerable only via custom NGINX template or injected directives. |
4. Impact Assessment for Unique AI Clients
4.1 SaaS Clients — Multi-Tenant and Single-Tenant
Impact: None. Unique AI SaaS deployments — both multi-tenant and single-tenant managed instances — are not impacted by any of the NGINX Rift CVEs. Unique AI does not employ any of the vulnerable NGINX directives (rewrite, scgi, uwsgi, OCSP, charset, QUIC) in its Kong Gateway configuration. Unique AI is not aware of any use of such directives across its managed infrastructure.
4.2 Self-Hosted Clients
Impact: None under standard deployment — client verification recommended. Based on Kong's official advisory, standard Kong Gateway configurations are not impacted by the NGINX Rift CVEs. Unique AI is equally not aware of any use of vulnerable directives in its published Helm charts or deployment reference configurations.
However, self-hosted clients bear ultimate responsibility for validating their own infrastructure. If your organisation has introduced custom NGINX templates, injected directives, or non-standard Kong configurations within your environment, you should verify that none of the vulnerable directive combinations are present. The vulnerable triggers require explicit, non-default configuration of the modules identified in the table above.
Unique AI recommends that self-hosted clients review their Kong Gateway configuration against the Kong advisory at GitHub Discussion #14867 and apply Kong's forthcoming 3.9.2 security release once available.
5. Recommended Actions
Audience | Action Required | Priority |
|---|---|---|
Unique AI SaaS clients (multi-tenant) | No action required. Unique AI has verified no exposure under managed configuration. | None |
Unique AI SaaS clients (single-tenant managed) | No action required. Unique AI has verified no exposure under managed configuration. | None |
Self-hosted clients | Review your Kong Gateway configuration for use of vulnerable NGINX directives. No action required under standard deployment. Monitor for the Kong 3.9.2 security release and apply when available. | Low — Verify Only |
6. Advisory Maintenance
This advisory is a living document. Unique AI will update this page upon upstream events.
7. Document History
Date | Version | Change |
|---|---|---|
21 May 2026 | 1.0 | Initial advisory published. Assessment: no impact on Unique AI SaaS or standard self-hosted deployments. |