CVE-2026-42221
Unauthenticated Initial Admin Account Takeover in Nginx UI
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | From 2.0.0 (inc) to 2.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Nginx UI, a web user interface for the Nginx web server, specifically versions from 2.0.0 up to but not including 2.3.8. During the first-run setup window of a fresh nginx-ui instance, an unauthenticated network attacker can claim the initial administrator account. This is possible because the public /api/install endpoint is accessible without authentication, and although the request-encryption flow protects the confidentiality of the payload in transit, it does not verify who is authorized to perform the installation. As a result, a remote attacker who accesses the service before the legitimate operator can set the admin email, username, and password, effectively taking permanent control of the initial instance.
How can this vulnerability impact me? :
This vulnerability can lead to a complete takeover of the initial administrator account on a fresh Nginx UI instance. An attacker who exploits this flaw can gain full administrative control, allowing them to configure, manage, or manipulate the web server interface. This could result in unauthorized access to sensitive configurations, potential disruption of services, and further exploitation of the system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the nginx-ui software to version 2.3.8 or later, where the issue has been patched.
Additionally, ensure that the nginx-ui instance is not exposed to untrusted networks during the initial setup phase to prevent unauthorized access to the /api/install endpoint.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if an instance of nginx-ui is running with a version between 2.0.0 and before 2.3.8 and if the /api/install endpoint is accessible without authentication.
To detect this on your system or network, you can attempt to access the /api/install endpoint on the nginx-ui service to see if it is reachable without authentication.
- Use curl to check the endpoint accessibility: curl -v http://<nginx-ui-host>:<port>/api/install
- Check the version of nginx-ui installed to confirm if it falls within the vulnerable range.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to take over the initial administrator account of the Nginx UI during the first-run setup window. Such unauthorized access could lead to compromise of sensitive data and administrative control.
Because the attacker can gain administrative privileges without authentication, this could result in violations of compliance requirements related to data protection and access control, such as those mandated by GDPR and HIPAA.
Specifically, failure to properly secure administrative access may lead to unauthorized access to personal or protected health information, undermining confidentiality, integrity, and availability requirements.