CVE-2026-42221
published 2026-05-04CVE-2026-42221: Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the…
PriorityP267critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.35%
26.4th percentile
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | — | — |
| github.com | 0xjacky_nginx-ui | >= 2.0.0 < 2.3.8 | 2.3.8 |
| nginxui | nginx_ui | >= 2.0.0 < 2.3.8 | 2.3.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
ghsa·2026-05-06
CVE-2026-42221 [HIGH] CWE-306 Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim
### Summary
An unauthenticated network attacker can claim the initial administrator account on a fresh `nginx-ui` instance during the first-run setup window. The public `/api/install` endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover.
### Details
The vulnerable route is exposed publicly through the main API router. `router/routers.go:61-70` mounts `system.InitPublicRouter(root)` under `/api`, and `api/syst
VulDB
0xJacky nginx-ui up to 2.3.7 missing authentication (EUVD-2026-27135)
vuldb·2026-05-04·CVSS 8.1
CVE-2026-42221 [HIGH] 0xJacky nginx-ui up to 2.3.7 missing authentication (EUVD-2026-27135)
A vulnerability marked as critical has been reported in 0xJacky nginx-ui up to 2.3.7. This vulnerability affects unknown code. The manipulation leads to missing authentication.
This vulnerability is documented as CVE-2026-42221. The attack can be initiated remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published