CVE-2026-42222
published 2026-05-04CVE-2026-42222: Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial…
PriorityP261critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.34%
25.8th percentile
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | — | — |
| nginxui | nginx_ui | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
ghsa·2026-05-06
CVE-2026-42222 [HIGH] CWE-284 Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
Nginx-UI: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
## Summary
An unauthenticated bootstrap takeover exists in `nginx-ui` during the initial installation window exposed by `POST /api/install`.
When the instance is still uninitialized, `POST /api/install` is reachable without authentication and accepts attacker-controlled bootstrap data. The handler sets the application's JWT secret, the node secret, the certificate email, and the initial administrator username and password. This allows an attacker who can reach a fresh instance during the initial 10-minute setup window to claim the installation before the legitimate operator.
This is not a general post-install takeover. The exposure condition is narrower: the target must still be i
VulDB
0xJacky nginx-ui 2.3.5 /api/install missing authentication (EUVD-2026-27137)
vuldb·2026-05-04·CVSS 8.1
CVE-2026-42222 [HIGH] 0xJacky nginx-ui 2.3.5 /api/install missing authentication (EUVD-2026-27137)
A vulnerability, which was classified as critical, was found in 0xJacky nginx-ui 2.3.5. The affected element is an unknown function of the file /api/install. Executing a manipulation can lead to missing authentication.
This vulnerability appears as CVE-2026-42222. The attack may be performed from remote. There is no available exploit.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published