Nginx UI versions 2.0.0 up to 2.3.7 expose an /api/install endpoint that is reachable without authentication. The payload encryption protects only confidentiality, not the identity of the caller. As a result, an unauthenticated network attacker can claim the initial administrator account on a fresh instance by supplying an administrator username, email, and password. This flaw allows the attacker to permanently take full control of the application, granting them elevated privileges and full administrative access. The weakness is a lack of authentication for a privileged operation (CWE‑306).

The affected vendor is 0xJacky, product Nginx UI. Any instance of Nginx UI with a version between 2.0.0 and before 2.3.8 is vulnerable. The vulnerability was patched in release 2.3.8, which removes the unauthenticated install capability and enforces authentication before claiming administrator rights.

The CVSS score of 8.1 reflects high severity, indicating that exploitation would provide wide-ranging system control. No EPSS score is available, so current exploitation likelihood is uncertain, though the absence of an EPSS entry does not imply low risk. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the attack vector is likely a remote network attacker who can reach the service’s web interface before the legitimate operator completes the initial setup. Such an attacker can invoke the open /api/install endpoint, claim the administrator account, and lock out the rightful operator. The risk is elevated when the service is publicly exposed or accessible over unsecured networks.