Ddos 
A newly disclosed vulnerability, tracked as CVE-2026-42238, in Nginx UI, the popular web-based manager designed to simplify Nginx clusters with AI assistance and one-click deployments, allows unauthenticated attackers to achieve Remote Code Execution (RCE) with a CVSS score of 9.0.
The flaw exploits a “race against the clock” design choice in the application’s backup and restoration logic, potentially handing over full server control to anyone with an internet connection.
The vulnerability centers on the backup restore endpoint (POST /api/restore). In an effort to facilitate initial setups, Nginx UI leaves this endpoint completely unauthenticated for the first 10 minutes after the process starts.
While intended for fresh installations, the logic contains a fatal oversight. The 10-minute unauthenticated window resets every time the process restarts. Whether it is a container reboot, an upgrade, or a health-check trigger, the “door” swings wide open again. An attacker can upload a malicious backup archive that overwrites the application’s core configuration file (app.ini) and its SQLite database.
By controlling the restored app.ini, the attacker can inject arbitrary OS commands into settings like TestConfigCmd. Once the application automatically restarts to apply these “restored” settings, a single follow-up request executes the attacker’s command.
The consequences of this flaw are particularly severe due to how Nginx UI is typically deployed.
- Privilege Escalation: In Docker environments—the primary distribution method—Nginx UI usually runs as root. This gives an attacker full host access if the container uses privileged mode or host mounts.
- Total Exposure: Attackers gain full read access to all Nginx configurations, TLS private keys, and secrets stored within the database.
- Complete Denial of Service: An attacker can stop or permanently misconfigure both Nginx and the UI, leading to a total blackout of managed services.
The development team has released a patch that moves away from time-based security in favor of unconditional authentication.
If you cannot upgrade immediately, be extremely cautious about restarting your Nginx UI containers. Monitor your network logs for any POST requests to /api/restore immediately following a system boot.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
