Approved changes feed: RSS · Atom

cpe:2.3:a:0xjacky:nginx-ui:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor0Xjacky (c4e0923b-58f1-5687-a9d1-387c996ca5d1)
ProductNginx Ui (8ba8cd69-4894-54e7-876c-1d24c242050c)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from gcve-enriched-dumps CVE data

PURL mappings

PURLSourceLast updated
No PURL mappings for this CPE yet.

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-44015 vulnerable 2026-06-08 08:03:18.065574 Nginx UI: Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access to Internal Services
HIGH (8.5)
Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.
Published: 2026-05-12T20:49:16.240Z
Updated: 2026-05-14T21:32:37.840Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42238 vulnerable 2026-06-08 08:03:16.064223 Unauthenticated Remote Code Execution via Backup Restore in nginx-ui
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments. This issue has been patched in version 2.3.8.
Published: 2026-05-04T20:13:22.196Z
Updated: 2026-05-05T15:50:36.447Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42223 vulnerable 2026-06-08 08:03:16.051053 nginx-ui: Settings API Exposes Protected Secrets
MEDIUM (6.5)
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8.
Published: 2026-05-04T20:12:00.546Z
Updated: 2026-05-05T14:08:40.851Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42222 vulnerable 2026-06-08 08:03:16.048024 nginx-ui: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
HIGH (8.1)
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.
Published: 2026-05-04T20:11:11.049Z
Updated: 2026-05-06T13:58:55.214Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42221 vulnerable 2026-06-08 08:03:16.047396 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
HIGH (8.1)
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8.
Published: 2026-05-04T20:09:37.308Z
Updated: 2026-05-05T14:14:11.906Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-42220 vulnerable 2026-06-08 08:03:16.045624 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-34403 vulnerable 2026-06-08 07:59:12.478466 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33032 vulnerable 2026-06-08 07:57:18.488014 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33031 vulnerable 2026-06-08 07:57:18.487724 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33030 vulnerable 2026-06-08 07:57:18.487399 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33029 vulnerable 2026-06-08 07:57:18.487078 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33028 vulnerable 2026-06-08 07:57:18.484828 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33027 vulnerable 2026-06-08 07:57:18.484367 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-33026 vulnerable 2026-06-08 07:57:18.482828 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2026-27944 vulnerable 2026-06-08 07:55:14.691928 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-49368 vulnerable 2026-06-08 06:50:13.698446 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-49367 vulnerable 2026-06-08 06:50:13.683738 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-49366 vulnerable 2026-06-08 06:50:13.641898 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-23828 vulnerable 2026-06-08 06:29:40.725595 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-23827 vulnerable 2026-06-08 06:29:40.672342 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-22198 vulnerable 2026-06-08 06:29:34.103112 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-22197 vulnerable 2026-06-08 06:29:34.098196 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data
CVE:CVE-2024-22196 vulnerable 2026-06-08 06:29:34.086119 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.