NGINX Rift CVEs: Impact on Kong Gateway Open Source

[dndx]

Dear Kong Community,

Kong is aware of the recently disclosed NGINX CVEs, including the issue publicly referred to as NGINX Rift. Here is our initial assessment of these CVEs and their impact on the Kong Gateway Open Source project.

Note: if you have an enterprise contract with Kong, please contact your support team to discuss impact on Kong's enterprise offerings. This advisory applies to the Open Source Kong releases only.

Kong is actively working on a 3.9.2 security release for the Open Source project and will publish it as soon as practical. The release will be announced in this discussion thread once it becomes available.

This page will be kept up to date as new information and findings regarding these CVEs emerge.

Updates:

• May 27, 2026 - Added CVE-2026-9256 (PoolSlip) CVE exposure evaluation
• Jun 4, 2026 - Kong Open Source 3.9.2 security release, which contains fixes to all CVEs below except CVE-2026-42926 ¹ has been released.

CVE Number	Description	Kong Open Source Impacted	Explanation
CVE-2026-42945	NGINX ngx_http_rewrite_module vulnerability	No, unless custom NGINX template or injected directive is used to create the vulnerable combination of directives	Kong Open Source does not use the rewrite directive which is necessary for triggering the vulnerability. Furthermore, Kong’s rewrite functionality is not performed via the ngx_http_rewrite_module.
CVE-2026-42946	NGINX ngx_http_scgi_module and ngx_http_uwsgi_module vulnerability	No, unless custom NGINX template or injected directive is used to create the vulnerable combination of directives	Kong Open Source does not use the ngx_http_scgi_module or ngx_http_uwsgi_module by default.
CVE-2026-40701	NGINX ngx_http_ssl_module vulnerability	No, unless custom NGINX template or injected directive is used to create the vulnerable combination of directives	Kong Open Source does not rely on NGINX built-in OCSP verification with the default config.
CVE-2026-42934	NGINX ngx_http_charset_module vulnerability	No, unless custom NGINX template or injected directive is used to create the vulnerable combination of directives	Kong Open Source does not configure the vulnerable combination of directives necessary for the exploitation.
CVE-2026-42926	NGINX ngx_http_proxy_v2_module vulnerability	No	As of the date of publication of this advisory (May 20, 2026), the latest Kong Open Source release 3.9.1 is based on NGINX 1.27.1. The ngx_http_proxy_v2_module was introduced in a later NGINX release and is not present in this version.
CVE-2026-40460	NGINX ngx_quic_module vulnerability	No, unless custom NGINX template or injected directive is used to create the vulnerable combination of directives	Kong Open Source does not support enabling HTTP/3 or QUIC in its default config.
CVE-2026-9256	NGINX ngx_http_rewrite_module vulnerability (aka NGINX PoolSlip)	No, unless custom NGINX template or injected directive is used to create the vulnerable combination of directives	Kong Open Source does not use the rewrite directive which is necessary for triggering the vulnerability. Furthermore, Kong’s rewrite functionality is not performed via the ngx_http_rewrite_module.

Footnotes

1. Kong Open Source is not vulnerable to CVE-2026-42926, see explanations above. ↩

[dndx]

Hello Kong Open Source Community,

We have released the Kong Open Source 3.9.2 security release today, which contains fixes to all CVEs affecting Kong Open Source from the NGINX Rift series.

Docker images are available at: https://hub.docker.com/r/kong/kong