Hi,
I’d like to ask about TrueNAS’s exposure to CVE-2026-42945 https://nvd.nist.gov/vuln/detail/CVE-2026-42945
TrueNAS CORE embeds NGINX to serve its web UI. My concern is whether the version of NGINX shipped with TrueNAS CORE uses a configuration that includes the vulnerable directive pattern, or whether the rewrite rules in the default config are structured in a way that exposes the attack surface.
My questions
-
Is TrueNAS CORE’s default NGINX configuration actually vulnerable to this specific pattern (rewrite + PCRE unnamed capture +
?in replacement)? -
Is a patch planned for TrueNAS CORE, and if so, on what timeline? Given that CORE is in maintenance mode, is an update of the embedded NGINX version realistic?
-
If no patch is planned, is there a supported configuration workaround for instance, restricting WebUI access to loopback or a dedicated management interface, or disabling specific nginx modules - that would mitigate the risk without breaking WebUI functionality?
Thanks in advance 