CVE-2026-42222
Unauthenticated Bootstrap Takeover in Nginx UI
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | 2.3.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Nginx UI version 2.3.5, which is a web user interface for the Nginx web server. It involves an unauthenticated bootstrap takeover during the initial installation window, which is exposed by the POST /api/install endpoint. This means that an attacker can potentially take control of the installation process without needing to authenticate.
How can this vulnerability impact me? :
The vulnerability can have a severe impact as it allows an attacker to take over the bootstrap process without authentication. According to the CVSS score of 8.1, it can lead to high confidentiality, integrity, and availability impacts, meaning sensitive data could be exposed or altered, and the system could be disrupted or controlled by an attacker.