Description
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.
Published: 2026-05-04
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated bootstrap takeover vulnerability exists in nginx-ui version 2.3.5 where an attacker can send a POST request to /api/install during the initial installation window and claim the instance. The vulnerability allows the attacker to control the deployment process and configure the service under their own settings, potentially compromising the confidentiality, integrity, and availability of the system. The weakness is rooted in missing access control (CWE‑284) and lack of authentication (CWE‑306).

Affected Systems

The affected product is nginx-ui from 0xJacky, specifically version 2.3.5. No other versions were listed as affected in the advisory.

Risk and Exploitability

With a CVSS score of 8.1, the vulnerability is considered high severity. EPSS information is not available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated HTTP POST to /api/install performed during the instance’s first‑boot installation period, inferred from the description of the bootstrap takeover.

Generated by OpenCVE AI on May 4, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Restrict network access to the /api/install endpoint during the initial installation period using firewall rules or IP filtering to limit exposure to trusted IP ranges.
  • Deploy a newer nginx‑ui release or apply the vendor patch immediately once it becomes available.
  • Apply additional authentication (e.g., HTTP basic auth or a reverse proxy) to protect the installation endpoint as a temporary safeguard until the vulnerability is fixed.

Generated by OpenCVE AI on May 4, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.
Title nginx-ui: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover
Weaknesses CWE-284
CWE-306
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

0xjacky Nginx-ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T20:13:55.929Z

Reserved: 2026-04-25T05:37:12.116Z

Link: CVE-2026-42222

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T21:16:32.173

Modified: 2026-05-04T21:16:32.173

Link: CVE-2026-42222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:30:09Z

Weaknesses