Threat Analysis: NGINX Rift Under Active Exploitation and Grafana Source Code Theft, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 18th May 2026.
Two separate incidents today deserve your attention, and they have more in common than the headlines suggest. Both are about how quickly the gap between disclosure and damage has collapsed. Both have direct relevance to UK SMBs, even if your business does not consider itself a likely target.
CVE-2026-42945: NGINX Is Being Actively Exploited. Right Now.
Let us start with the one that has a countdown clock attached to it.
CVE-2026-42945, the vulnerability being tracked under the name NGINX Rift, was publicly disclosed recently. Researchers are already reporting active probing and exploitation of exposed servers. The Register confirmed today that attackers wasted no time targeting internet-facing NGINX installations after the flaw became public knowledge.
The detail that matters here is timing. Not weeks after disclosure. Days.
NGINX is not some obscure enterprise product. It is one of the most widely deployed web server and reverse proxy platforms on the planet. A substantial proportion of UK SMB web infrastructure, whether hosted directly, through a managed service provider, or via a cloud platform, sits behind NGINX. Many of those businesses have no idea it is there, because it is abstracted away by a hosting panel or a managed service agreement.
That abstraction is precisely the problem.
If your hosting provider or MSP is managing your web infrastructure and has not proactively told you they have patched CVE-2026-42945, ask them today. If they need time to look into it, that tells you something important about their patching cadence. If they cannot tell you what version of NGINX you are running, that tells you something else entirely.
The advisory tells you there is a vulnerability. What it does not say loudly enough is that the exploitation timeline for internet-facing services is no longer measured in weeks. Threat actors are running automated scanning infrastructure that picks up newly disclosed CVEs and begins probing within hours. For SMBs relying on third parties to manage patching, the question is not whether your provider knows about the vulnerability. It is whether they have already acted.
Grafana Source Code Stolen: One Token, Entire Codebase
The second story is different in character but equally instructive.
Grafana Labs disclosed today that attackers downloaded its source code after compromising its GitHub environment. The method was not a sophisticated zero-day exploit chain. It was a stolen access token.
One token. The entire codebase.
The threat group involved has been linked to the same actors behind the recent Coinbase extortion campaign. The approach is consistent: identify a single high-value credential, use it to extract as much intellectual property or sensitive data as possible, then leverage that for extortion or downstream exploitation.
For UK SMBs, the direct risk here is not that your business will be targeted by the same group tomorrow. The more relevant concern is what comes next. When attackers obtain source code from a widely used monitoring and observability platform, they are not reading it for interest. They are auditing it for vulnerabilities. Those vulnerabilities, if found, will eventually become CVEs, or they will be exploited quietly before anyone knows they exist.
If your business uses Grafana for infrastructure monitoring, which is common in SMBs that have grown their own IT estate over time, watch for follow-on security advisories from Grafana Labs carefully. The company has stated that customer data was not accessed in this breach. That assessment may be accurate. But the source code is now in the hands of a group that has demonstrated both the motivation and the capability to monetise it.
There is also a second-order lesson here that applies to every business, regardless of whether you use Grafana.
How many access tokens, API keys, and personal access tokens exist in your business right now? Not the ones you know about. The ones sitting in a developerβs local environment, in a CI/CD pipeline, in a shared password manager that three people have access to. The NCSC has published guidance on secrets management. The fact that a company the size of Grafana Labs was compromised via a single stolen token should be a prompt to audit yours.
The Connecting Thread
These two incidents look different on the surface. One is a vulnerability being actively exploited. The other is a credential compromise leading to data theft. But the connecting thread is the same one we come back to repeatedly in this briefing.
The window between a threat being known and a threat being exploited has collapsed. For CVE-2026-42945, exploitation began within days of disclosure. For Grafana, a single stolen credential bypassed whatever other controls were in place. In both cases, the assumption that there is time to respond at a measured pace is wrong.
For UK SMBs, the practical implication is this: if you are relying on a third party to manage your web infrastructure, your hosting environment, or your internal tooling, your security posture is only as good as their patching and credential hygiene. Most SMBs have never asked their MSP for a patching SLA. Most MSPs have never been asked for one.
That conversation is overdue.
A Note on Windows 11 KB5089549
For completeness: Microsoft confirmed today that the May 2026 Windows 11 security update KB5089549 is failing to install on some systems with a 0x800f0922 error. This is relevant because a failed security update is not the same as a patched system. If your Windows 11 machines appear to have had the May update applied but are showing errors, verify the installation actually completed. Microsoft has acknowledged the issue and is working on a fix. In the meantime, manual verification of update status across your fleet is prudent.
What To Do Today
- NGINX: Contact your hosting provider or MSP and ask specifically whether CVE-2026-42945 has been patched on any NGINX instances in your environment. Get a written confirmation.
- Grafana: If you run Grafana, subscribe to Grafana Labs security advisories and monitor for follow-on disclosures. Review who has administrative access to your Grafana instance.
- Access tokens: Conduct an audit of any API keys, personal access tokens, or service account credentials in use across your business. Revoke anything that is not actively needed.
- Windows 11 updates: Verify that KB5089549 successfully installed on affected machines. Do not assume a completed update cycle means the patch applied.