Skip to main content
Skip table of contents

2026-05-26 Security Advisory: CVE-2026-42945 (NGINX)

Advisory date:
CVE: CVE-2026-42945
Severity (vendor): Critical (CVSS 4.0: 9.2 / CVSS 3.1: 8.1, F5 Networks)

Summary

A security vulnerability has been disclosed in NGINX Open Source and related products, including certain NGINX-based ingress components. The issue can, under specific configuration conditions, allow an unauthenticated remote attacker to disrupt NGINX worker processes or, in limited environments, achieve code execution.

Smartmakers has assessed the impact on thingsHub and taken preventive measures. Based on our review, thingsHub deployments are not exposed to exploitation through the known attack pattern in their current configuration.

We have validated that this vulnerability does not affect any thingsHub 7.5 and greater tenants, including managed and self-hosted deployments using the standard thingsHub configuration.

Vulnerability description

CVE-2026-42945 affects the NGINX rewrite module when a particular configuration pattern is used: a rewrite rule that combines unnamed regular-expression captures (e.g. $1, $2) with a replacement string containing a question mark (?), followed by another rewrite, if, or set directive.

Further information is available from:

Impact on thingsHub

thingsHub uses NGINX in a limited capacity:

  • UI service: NGINX serves the thingsHub web application inside the UI container.

  • Ingress / edge routing: Smartmakers is completing a migration from NGINX Ingress to Traefik for customer-facing routing.

After review of thingsHub application configuration and our managed environments, we did not identify any configuration matching the vulnerable pattern. thingsHub application services (API, engine, business objects, and related backend components) are not directly affected by this vulnerability.

For thingsHub 7.5 and greater, Smartmakers has confirmed that standard tenant configurations do not use the vulnerable NGINX rewrite pattern.

Smartmakers assessment

Smartmakers has performed a technical review covering:

  • thingsHub Helm charts and application configuration

  • Live configuration in our managed development environment

  • NGINX versions in use across relevant components

  • Validation across thingsHub 7.5 and greater tenant deployments

Conclusion: thingsHub is not currently exploitable via CVE-2026-42945 based on known configuration patterns. We have validated that this vulnerability does not affect any thingsHub 7.5 and greater tenants. No evidence of active exploitation has been identified.

Actions taken

Smartmakers has implemented the following measures:

  1. Configuration review. Verified that thingsHub does not use the vulnerable NGINX rewrite pattern.

  2. UI container hardening. Updated the thingsHub UI base image to NGINX 1.30.1, which includes the vendor fix for this vulnerability.

  3. Ingress migration. Continued rollout of Traefik as the primary ingress controller, reducing reliance on NGINX at the platform edge.

  4. Development environment updates. Updated local development NGINX components to patched versions.

Recommendations for customers

Managed thingsHub (Smartmakers Cloud / hosted environments)
No customer action is required. Smartmakers will apply remaining updates through our normal release and deployment process. We will notify customers if any further action becomes necessary.

Self-hosted / on-premises deployments (thingsHub 7.5 and greater)
No immediate action is required. Smartmakers has validated that this vulnerability does not affect thingsHub 7.5 and greater tenants using the standard thingsHub deployment.

As part of our ongoing hardening, we recommend staying on supported thingsHub releases and applying routine updates through your normal maintenance process. Future releases will include updated NGINX components as an additional preventive measure.

Older or custom deployments
If you operate a thingsHub version earlier than 7.5, or have applied custom NGINX or ingress configuration outside the standard thingsHub deployment, please contact Smartmakers support. We will help you confirm whether any review is needed.

Timeline

Date

Action

13 May 2026

CVE published by F5 Networks

May 2026

Smartmakers impact assessment initiated

26 May 2026

Assessment completed; preventive updates applied

Ongoing

Traefik migration and routine patch deployment

Contact

If you have questions regarding this advisory, please contact Smartmakers support:

Email: support@smartmakers.de
Subject line: Security Advisory, CVE-2026-42945

This advisory may be updated if new information becomes available. Smartmakers follows responsible disclosure practices and will communicate material changes to affected customers.

Smartmakers GmbH

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close