Critical security vulnerability in Nginx UI closed again

Admins who use the Nginx UI web interface for their nginx-based web servers should update the software promptly. If they don't, attackers can exploit multiple security vulnerabilities and, in the worst case, completely compromise systems.

Admin attacks possible

One vulnerability (CVE-2026-42238) is considered “critical.” Because backup restore points are accessible without authentication for ten minutes during every new installation and restart, remote attackers can upload manipulated backups. They can overwrite the configuration file app.ini with their commands and gain full control over instances.

By successfully exploiting another vulnerability (CVE-2026-42221 “high”), attackers can hijack admin accounts during the initial setup. This is said to be possible without authentication.

The remaining vulnerabilities can be used, among other things, to leak actually secret data (CVE-2026-42223 “medium”). The developers assure that the security problems have been resolved in Nginx UI 2.3.8. So far, there are no indications from the software manufacturer that attackers are already exploiting the vulnerabilities. However, admins should not delay patching for too long. Further information on the security vulnerabilities and how attacks could occur can be found by admins in the warning messages linked below this report.

The developers recently closed critical vulnerabilities in the web management tool.

The list of vulnerabilities, sorted by threat level in descending order:

• Unauthenticated Remote Code Execution via Backup Restore in nginx-ui
• Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
• Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
• Settings API Exposes Protected Secrets
• Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

(des)