• Security scanners or internal audits may flag the NGINX version running on NSX appliances as potentially vulnerable to CVE-2026-42945.

VMware NSX

CVE-2026-42945 is a vulnerability that affects the NGINX web server. It is triggered only under highly specific configuration conditions involving URL rewrite rules and regular expression routing logic.

No resolution/workaround is necessary as the product is not impacted by this vulnerability. VMware NSX is not vulnerable to CVE-2026-42945.

All security advisories for VCF software can be found at Security Advisories - VMware Cloud Foundation. From this page, products can be filtered to locate advisories specific to NSX.  

The specific NGINX configuration patterns required to exploit this vulnerability do not exist within the NSX architecture:

• NSX Manager (UI Service): The NGINX configuration for the NSX UI (/etc/nginx/conf.d/ui-service.conf) does not utilize the vulnerable rewrite configurations. The only rewrite directive present is a standard, non-exploitable redirect to the login page.
• NSX Edge (Load Balancer): The native NGINX rewrite directive is not supported within the NSX Load Balancer configuration (nginx.conf). All Load Balancer application rewrite rules are implemented securely using the LB NGINX LUA module, which is entirely unaffected by this vulnerability.

If specific vulnerabilities are discovered (CVEs), search the knowledge base for the CVE number to determine if NSX is affected. 

If it is unclear if NSX is affected, open a case with Broadcom support. For more information, see Creating and managing Broadcom support cases.