cbcvebase.

Github.Com 0Xjacky Nginx-Ui vulnerabilities

18 known vulnerabilities affecting github.com/0xjacky_nginx-ui.

Total CVEs
18
CISA KEV
0
Public exploits
2
Exploited in wild
2
Severity breakdown
CRITICAL5HIGH9MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2026-33032P1CRITICALExploitedPoC≥ 0, ≤ 1.992026-03-30
CVE-2026-33032 [CRITICAL] CWE-306 nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover ### Summary The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: `/mcp` and `/mcp_message`. While `/mcp` requires both IP whitelisting and authentication (`AuthRequired()` middleware), the `/mcp_message` endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middl
ghsaosv
CVE-2026-27944P1CRITICALExploitedPoC≥ 0, < 2.3.32026-03-05
CVE-2026-27944 [CRITICAL] CWE-306 Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure ## Summary The `/api/backup` endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the `X-Backup-Security` response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user cre
ghsaosv
CVE-2026-42238P2CRITICAL≥ 0, < 2.3.82026-05-06
CVE-2026-42238 [CRITICAL] CWE-94 Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore **Product:** nginx-ui **Repository:** `0xJacky/nginx-ui` (branch: `dev`) **Vulnerability Class:** Authentication Bypass → Arbitrary File Write → OS Command Injection **Affected Component:** `POST /api/restore` --- ## 1. Vulnerability Summary nginx-ui exposes a backup restore endpoint (`POST /api/
ghsa
CVE-2026-42221P2HIGH≥ 2.0.0, < 2.3.82026-05-06
CVE-2026-42221 [HIGH] CWE-306 Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim ### Summary An unauthenticated network attacker can claim the initial administrator account on a fresh `nginx-ui` instance during the first-run setup window. The public `/api/install` endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transi
ghsa
CVE-2024-22198P2HIGH≥ 0, < 2.0.0.beta.92024-01-11
CVE-2024-22198 [HIGH] CWE-77 Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268) Authenticated (user role) arbitrary command execution by modifying `start_cmd` setting (GHSL-2023-268) ### Summary Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings. ### Details The `Home > Preference` page exposes a list of system settings such as `Run Mode`, `Jwt Secr
ghsaosv
CVE-2026-33030P2HIGH≥ 0, ≤ 1.992026-03-30
CVE-2026-33030 [HIGH] CWE-639 nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys ## Summary Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base `Model` struct lacks a `user_id` field, and all resource endpoints perform queries by ID without verifying user
ghsaosv
CVE-2024-23827P2CRITICAL≥ 0, < 2.0.0-beta.122024-01-29
CVE-2024-23827 [CRITICAL] CWE-22 Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature Nginx-UI vulnerable to arbitrary file write through the Import Certificate feature ### Summary The Import Certificate feature allows arbitrary write into the system. The feature does not check if the provided user input is a certification/key and allows to write into arbitrary paths in the system. https://github.com/0xJacky/nginx-ui/blob/f20d97a9fdc2a83809498b35b6abc0239ec7fdda/
ghsaosv
CVE-2024-22197P3HIGH≥ 0, < 2.0.0.beta.92024-01-11
CVE-2024-22197 [HIGH] CWE-77 Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269) Authenticated (user role) remote command execution by modifying `nginx` settings (GHSL-2023-269) ### Summary The `Home > Preference` page exposes a small list of nginx settings such as `Nginx Access Log Path` and `Nginx Error Log Path`. However, the API also exposes `test_config_cmd`, `reload_cmd` and `restart_cmd`. While the UI doesn't allow users to modify any of these
ghsaosv
CVE-2024-23828P3HIGH≥ 0, < 2.0.0-beta.122024-01-29
CVE-2024-23828 [HIGH] CWE-74 Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF Nginx-UI vulnerable to authenticated RCE through injecting into the application config via CRLF ### Summary Fix bypass to the following bugs - https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-pxmr-q2x3-9x9m - https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-8r25-68wm-jw35 Allowing to inject directly in the `app.ini` via CRLF to change the value
ghsaosv
CVE-2026-33031P3HIGH≥ 0, < 1.9.10-0.20260314152518-7b66578adb472026-04-21
CVE-2026-33031 [HIGH] CWE-284 Nginx-UI: Disabled users retain full API access through previously issued bearer tokens Nginx-UI: Disabled users retain full API access through previously issued bearer tokens ### Summary A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying pr
ghsa
CVE-2026-33026P3CRITICAL≥ 0, ≤ 1.9.92026-03-30
CVE-2026-33026 [CRITICAL] CWE-312 nginx-ui Backup Restore Allows Tampering with Encrypted Backups nginx-ui Backup Restore Allows Tampering with Encrypted Backups ## Summary The `nginx-ui` backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. ## Details The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (
ghsaosv
CVE-2026-33028P3HIGH≥ 0, ≤ 1.992026-03-30
CVE-2026-33028 [HIGH] CWE-362 nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse ### Summary The `nginx-ui` application is vulnerable to a **Race Condition**. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (`app.ini`). This vulnerability r
ghsaosv
CVE-2026-34403P3HIGH≥ 0, < 1.9.10-0.20260316053337-1a9cd29a30822026-04-21
CVE-2026-34403 [HIGH] CWE-1385 Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints ## Summary All WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cooki
ghsa
CVE-2026-42223P3MEDIUM≥ 0, < 2.3.82026-05-06
CVE-2026-42223 [MEDIUM] CWE-200 Nginx-UI Settings API Exposes Protected Secrets Nginx-UI Settings API Exposes Protected Secrets ### Summary The `GetSettings` API handler (`api/settings/settings.go:24-65`) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with `protected:"true"` - however, this tag is only enforced during writes (via `ProtectedFill` in `SaveSettings`) and is completely ignored during reads. This exposes 40+ protecte
ghsa
CVE-2026-42220P3MEDIUM≥ 0, ≤ 1.9.92026-05-05
CVE-2026-42220 [MEDIUM] CWE-200 Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback ## Summary An authenticated user can call `GET /api/settings` and retrieve sensitive configuration values, including `n
ghsa
CVE-2026-33027P3MEDIUM≥ 0, ≤ 1.992026-03-30
CVE-2026-33027 [MEDIUM] CWE-22 Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation ## Summary The nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this
ghsaosv
CVE-2026-33029P3MEDIUM≥ 0, ≤ 1.992026-03-30
CVE-2026-33029 [MEDIUM] CWE-20 nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval ### Summary An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. ### D
ghsaosv
CVE-2024-22196P3HIGH≥ 0, < 2.0.0.beta.92024-01-11
CVE-2024-22196 [HIGH] CWE-89 Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270) Authenticated (user role) SQL injection in `OrderAndPaginate` (GHSL-2023-270) ### Summary The [`OrderAndPaginate`](https://github.com/0xjacky/nginx-ui/blob/04bf8ec487f06ab17a9fb7f34a28766e5f53885e/model/model.go#L99C4) function is used to order and paginate data. It is defined as follows: ```go func OrderAndPaginate(c *gin.Context) func(db *gorm.DB) *gorm.DB { return func(db *gorm.DB) *gor
ghsaosv
Github.Com 0Xjacky Nginx-Ui vulnerabilities | cvebase