Impact
This vulnerability arises from missing access control checks on the "Let's Encrypt" certificate download endpoint in Nginx Proxy Manager. An attacker who has authenticated to the management interface can send a specially crafted GET request to retrieve the server’s TLS private key material. The disclosed key material compromises the confidentiality and integrity of all traffic protected by that certificate, potentially enabling man-in-the-middle attacks. The weakness is a classic case of insecure direct object reference (CWE-284).
Affected Systems
Nginx Proxy Manager version 2.14.0 is affected. No other versions are listed in the CVE data.
Risk and Exploitability
The CVSS score of 6.5 indicates medium severity. The EPSS score is reported as < 1%, suggesting a very low probability of mass exploitation at this time. The vulnerability is not included in the CISA KEV catalog. An authenticated attacker, possibly over any network path that permits access to the admin interface, can exploit the flaw by issuing a GET request to the endpoint. No special privileges beyond those used to log into the admin console are required.
OpenCVE Enrichment