Threat Advisory

Nginx-UI Backup Restore Vulnerability Exposes Code Injection

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Critical vulnerabilities have been identified in the Nginx-UI management interface, primarily stemming from unauthenticated access windows during the initial setup phase. These flaws allow unauthenticated remote attackers to perform full system takeovers, ranging from claiming administrative ownership to executing arbitrary operating system commands with high privileges. With CVSS scores reaching 9.8, these issues represent a severe risk to any environment deploying unpatched versions of the software, especially within the first ten minutes of process startup or container deployment. Organizations using this interface must immediately verify their versioning and restrict network access to the management port to prevent unauthorized exploitation.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

Critical vulnerabilities have been identified in the Nginx-UI management interface, primarily stemming from unauthenticated access windows during the initial setup phase. These flaws allow unauthenticated remote attackers to perform full system takeovers, ranging from claiming administrative ownership to executing arbitrary operating system commands with high privileges. With CVSS scores reaching 9.8, these issues represent a severe risk to any environment deploying unpatched versions of the software, especially within the first ten minutes of process startup or container deployment. Organizations using this interface must immediately verify their versioning and restrict network access to the management port to prevent unauthorized exploitation.[emaillocker id="1283"]

  • CVE-2026-42238: This critical vulnerability involves an unauthenticated backup restore endpoint located at the api/restore path. During a ten-minute window following any process startup, an attacker can upload a crafted archive to overwrite the application configuration and database. By injecting malicious commands into the configuration settings, the attacker achieves remote code execution as the process owner, which is frequently the root user in containerized environments.
  • CVE-2026-42221: A high-severity flaw exists where the initial administrator account can be claimed by any network-reachable attacker during the first-run setup window. The installation endpoint does not require authentication and fails to verify the identity of the operator performing the setup. A remote actor can define the admin credentials and application secrets, leading to a permanent takeover of the instance before the legitimate administrator can complete the installation.
  • CVE-2026-42222: This vulnerability facilitates an unauthenticated bootstrap takeover via the installation API on first-boot instances. While similar to the administrative claim issue, it specifically targets the initialization of trust material, including JWT and node secrets. An attacker who reaches the service within the initial setup window can define the entire security posture of the application, ensuring persistent administrative control and the ability to authenticate at will.

These vulnerabilities highlight a systemic failure in securing the initial deployment and restoration workflows of the management interface. Immediate patching and the implementation of network-level access controls are required to mitigate the risk of complete infrastructure compromise.

RECOMMENDATION:

  • We recommend you to update Nginx-UI to version 2.3.8 or later.

REFERENCES:

The following reports contain further technical details:
https://github.com/advisories/GHSA-4pvg-prr3-9cxr
https://github.com/advisories/GHSA-h27v-ph7w-m9fp
https://github.com/advisories/GHSA-mxqh-q9h6-v8pq

[/emaillocker]
crossmenu