Executive Summary

This vulnerability affects the Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.8. During the first 10 minutes after the application starts on a fresh installation, the backup restore endpoint (POST /api/restore) is completely unauthenticated.

An unauthenticated remote attacker can exploit this by uploading a crafted backup archive that overwrites the application's configuration file (app.ini) and its SQLite database.

Because the attacker controls the restored app.ini file, they can inject an arbitrary operating system command into the TestConfigCmd setting. When the application restarts to apply the restored configuration, a follow-up request triggers the execution of this command with the privileges of the user running nginx-ui, which is typically root in Docker deployments.

This vulnerability has been fixed in version 2.3.8.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated remote attacker to execute arbitrary operating system commands with the privileges of the nginx-ui process user, often root in Docker environments.

Such command execution can lead to full system compromise, unauthorized access, data manipulation, or destruction, and potentially allow the attacker to control the affected server.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, upgrade nginx-ui to version 2.3.8 or later, where the issue has been patched.

Avoid using fresh installations of nginx-ui versions prior to 2.3.8 without applying the update, especially within the first 10 minutes after process startup.

If upgrading immediately is not possible, restrict network access to the nginx-ui service during the vulnerable window after startup to prevent unauthenticated access to the backup restore endpoint.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves an unauthenticated backup restore endpoint (/api/restore) in nginx-ui versions prior to 2.3.8 that allows an attacker to upload a crafted backup archive. Detection can focus on monitoring for unexpected POST requests to the /api/restore endpoint shortly after nginx-ui process startup, especially within the first 10 minutes.

You can check your nginx-ui version to confirm if it is vulnerable by running a command to query the installed version.

• Check nginx-ui version (replace with actual command depending on your environment): nginx-ui --version
• Monitor network traffic or logs for POST requests to /api/restore endpoint shortly after service startup.
• Use tools like curl or wget to test if the /api/restore endpoint is accessible without authentication within the first 10 minutes after startup.
• Example curl command to test endpoint accessibility: curl -X POST http://<nginx-ui-host>/api/restore -v

Useful 0 Not Useful 0

Compliance Impact

CVE-2026-42238 allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges by exploiting a backup restore endpoint in nginx-ui. This can lead to unauthorized access and modification of sensitive data and system configurations.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.

Because the vulnerability allows full system access and arbitrary configuration changes, it increases the risk of data exposure, loss of data integrity, and denial of service, all of which are critical concerns under these regulations.

Useful 0 Not Useful 0