CVE-2026-42945 (NGINX Rift) in ONLYOFFICE Document Server Docker — Fix & Update Guide

Overview

Users running ONLYOFFICE Document Server (Docs) as a Docker container may encounter security scanner alerts reporting CVE-2026-42945, also known as NGINX Rift. This vulnerability affects older NGINX packages bundled within the container image, including versions shipped with Document Server 8.x (e.g., nginx 1.18.0) and certain 9.x images using nginx 1.24.0 from the Ubuntu package repository.

About the Vulnerability

CVE-2026-42945 is a critical heap buffer overflow in NGINX's ngx_http_rewrite_module. It affects NGINX Open Source versions 0.6.27 through 1.30.0 and NGINX Plus R32 through R36.

CVSS v4.0 score: 9.2 (Critical)

The flaw allows an unauthenticated attacker to:

• Send a specially crafted HTTP request to crash NGINX worker processes (Denial of Service).
• Potentially achieve remote code execution (RCE) on systems where Address Space Layout Randomization (ASLR) is disabled.

Important caveat: The vulnerability is only exploitable when the NGINX configuration contains rewrite, if, or set directives that use unnamed PCRE regex captures (e.g., $1, $2) with a replacement string that includes a question mark (?), followed by another rewrite, if, or set directive. Not all NGINX deployments use this configuration pattern. On modern Linux systems with ASLR enabled (the default), exploitation is limited to a DoS/crash scenario.

References:

• Help Net Security — CVE-2026-42945 active exploitation report
• The Hacker News — NGINX CVE-2026-42945 exploited in the wild

ONLYOFFICE Resolution

ONLYOFFICE addressed this vulnerability in Document Server version 9.4 by rebasing the Docker image on Ubuntu 24.04 and including the patched NGINX package 1.24.0-2ubuntu7.8, which contains the upstream fix for CVE-2026-42945 as backported by the Ubuntu security team.

The recommended and only supported remediation is to update your ONLYOFFICE Document Server Docker image to version 9.4 or later.

How to Update ONLYOFFICE Document Server (Docker)

Follow the steps below. These apply to Community, Enterprise, and Developer editions. For Enterprise Edition specifically, refer to the official guide: Updating ONLYOFFICE Docs Enterprise Edition for Docker.

Step 1 — Prepare for shutdown (avoid data loss)

Before stopping the container, gracefully disconnect all active users to prevent document data loss:

sudo docker exec <DOCUMENT_SERVER_ID> documentserver-prepare4shutdown.sh

This script may take up to 5 minutes to complete.

Step 2 — Back up your data

Create a backup of your mounted volumes:

sudo tar -czf onlyoffice-docs-backup-$(date +%Y%m%d).tar.gz \
  /app/onlyoffice/DocumentServer/data \
  /app/onlyoffice/DocumentServer/lib \
  /app/onlyoffice/DocumentServer/db

Step 3 — Record the current container and image details

sudo docker inspect --format='{{.Config.Image}}' <DOCUMENT_SERVER_ID>

Step 4 — Stop and remove the current container

sudo docker stop <DOCUMENT_SERVER_ID>
sudo docker rm <DOCUMENT_SERVER_ID>

Step 5 — Pull the latest image

For Enterprise Edition:

sudo docker pull onlyoffice/documentserver-ee:latest

For Community Edition:

sudo docker pull onlyoffice/documentserver:latest

Step 6 — Run the new container

Start the new container using the same volume mounts and environment variables as your previous installation. Example:

sudo docker run -i -t -d -p 80:80 --restart=always \
  -v /app/onlyoffice/DocumentServer/logs:/var/log/onlyoffice \
  -v /app/onlyoffice/DocumentServer/data:/var/www/onlyoffice/Data \
  -v /app/onlyoffice/DocumentServer/lib:/var/lib/onlyoffice \
  -e JWT_SECRET=<your_jwt_secret> \
  onlyoffice/documentserver-ee

> Ensure you use the same volume paths that were mounted in the previous container to preserve your data.

Step 7 — Verify the update

Open your browser and navigate to http://<your-server-address>/. Confirm the new version is running. You can also check the info page at http://<your-server-address>/info/.

Temporary Mitigation (If Immediate Update Is Not Possible)

If you cannot update right away, you can reduce exposure by modifying your NGINX configuration to replace unnamed regex captures with named captures. For example, change:

rewrite ^/(.*)$ /?path=$1 last;

to use named captures:

rewrite ^/(?P<seg>.*)$ /?path=${seg} last;

Also verify that ASLR is enabled on your host system (a value of 2 in /proc/sys/kernel/randomize_va_space confirms it is active), which limits the risk to a crash/DoS rather than RCE.

> Note: Configuration mitigation is not a substitute for patching. Update to Document Server 9.4 as soon as operationally feasible.

Affected Versions

| Component | Affected | Fixed In |
|---|---|---|
| ONLYOFFICE Document Server Docker (all editions) | 8.x and earlier 9.x images with nginx < 1.24.0-2ubuntu7.8 | 9.4+ |
| NGINX Open Source | 0.6.27 – 1.30.0 | 1.30.1 (stable) / 1.31.1 (mainline) |

Related Documentation

• Updating ONLYOFFICE Docs Enterprise Edition for Docker
• Updating ONLYOFFICE Docs Community Edition for Docker
• Updating ONLYOFFICE Docs Developer Edition for Docker
• ONLYOFFICE Docker-DocumentServer on GitHub
• ONLYOFFICE Community thread on nginx CVE in Docker image