Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments. This issue has been patched in version 2.3.8.
Published: 2026-05-04
Score: 9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An enclave of the Nginx UI application offers a backup restore endpoint that, for the first ten minutes after a fresh startup, is accessible without authentication. An attacker can upload a crafted archive that replaces the application's configuration file and its SQLite database, injecting an arbitrary operating system command through the TestConfigCmd setting. When the application restarts, the stored command executes as the nginx-ui process user, which, in containerised deployments, is typically root. The flaw is an instance of code injection, identified as CWE‑94, and yields uncontrolled code execution.

Affected Systems

The vulnerability affects the 0xJacky nginx‑ui product released prior to version 2.3.8. Fresh installations with any version earlier than 2.3.8 are susceptible when the service is reachable during its initial ten‑minute window post‑startup.

Risk and Exploitability

The CVSS score is 9, indicating a high‑severity condition. The EPSS metric is unavailable, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires remote network access to POST /api/restore during the unprotected window. Once the exploit succeeds, the attacker can run arbitrary commands as the service user, potentially leading to full system compromise when nginx‑ui runs with elevated permissions in Docker or as root on a host. The vulnerability is widely exploitable, even though it is time‑restricted, and should be regarded as a critical threat for exposed installations.

Generated by OpenCVE AI on May 4, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nginx‑ui to version 2.3.8 or later, which removes the unauthenticated restore endpoint.
  • If an upgrade is not immediately feasible, block or firewall the POST /api/restore URI during the first ten minutes after a fresh start, or until the application is patched.
  • Restart the nginx‑ui service after implementing the upgrade or firewall rule to ensure the new configuration takes effect.

Generated by OpenCVE AI on May 4, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments. This issue has been patched in version 2.3.8.
Title Unauthenticated Remote Code Execution via Backup Restore in nginx-ui
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

0xjacky Nginx-ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T20:13:22.196Z

Reserved: 2026-04-25T05:37:12.118Z

Link: CVE-2026-42238

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T21:16:32.707

Modified: 2026-05-04T21:16:32.707

Link: CVE-2026-42238

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:30:09Z

Weaknesses