Description
Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.
Published: 2026-05-12
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user of Nginx UI can exploit a design flaw in the cluster proxy middleware. By creating a cluster node that points to an arbitrary internal URL and then sending API requests with the X-Node-ID header, the proxy forwards the request directly to the attacker‑specified address. The vulnerability, identified as CWE‑918, allows bypassing network segmentation and reaching services bound to localhost or other internal networks, effectively exposing sensitive internal resources.

Affected Systems

The affected product is Nginx UI from 0xJacky. Versions 2.3.4 and earlier are vulnerable. Any deployment running these versions without applying updates is at risk.

Risk and Exploitability

The CVSS score of 8.5 indicates high severity. Because the flaw requires the attacker to be an authenticated user with permission to create cluster nodes, the attack vector is likely internal, but once authenticated the attacker can reach any internal endpoint. The EPSS score is not available, and the vulnerability is not listed in CISA's KEV catalog, but the high CVSS combined with the potential for internal network exposure warrants immediate attention.

Generated by OpenCVE AI on May 12, 2026 at 22:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nginx UI to the newest release that contains the SSRF fix.
  • Disable the Cluster Proxy middleware if it is not needed for normal operation.
  • Limit the creation of cluster nodes to administrative users only, ensuring that only authorized personnel can assign internal URLs.

Generated by OpenCVE AI on May 12, 2026 at 22:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wr32-99hh-6f35 Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services
History

Wed, 13 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Tue, 12 May 2026 21:30:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.
Title Nginx UI: Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware Allows Access to Internal Services
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N'}

Subscriptions

0xjacky Nginx-ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T20:49:16.240Z

Reserved: 2026-05-04T21:24:36.506Z

Link: CVE-2026-44015

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T22:16:35.330

Modified: 2026-05-12T22:16:35.330

Link: CVE-2026-44015

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T01:00:22Z

Weaknesses