CVE-2026-42238
Analyzed Analyzed - Analysis Complete

Unauthenticated Command Injection in Nginx UI

Vulnerability report for CVE-2026-42238, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui β€” typically root in Docker deployments. This issue has been patched in version 2.3.8.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-07-06
AI Q&A
2026-05-05
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.8 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Detection Guidance

This vulnerability involves an unauthenticated backup restore endpoint (/api/restore) in nginx-ui versions prior to 2.3.8 that allows an attacker to upload a crafted backup archive. Detection can focus on monitoring for unexpected POST requests to the /api/restore endpoint shortly after nginx-ui process startup, especially within the first 10 minutes.

You can check your nginx-ui version to confirm if it is vulnerable by running a command to query the installed version.

  • Check nginx-ui version (replace with actual command depending on your environment): nginx-ui --version
  • Monitor network traffic or logs for POST requests to /api/restore endpoint shortly after service startup.
  • Use tools like curl or wget to test if the /api/restore endpoint is accessible without authentication within the first 10 minutes after startup.
  • Example curl command to test endpoint accessibility: curl -X POST http://<nginx-ui-host>/api/restore -v
Executive Summary

This vulnerability affects the Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.8. During the first 10 minutes after the application starts on a fresh installation, the backup restore endpoint (POST /api/restore) is completely unauthenticated.

An unauthenticated remote attacker can exploit this by uploading a crafted backup archive that overwrites the application's configuration file (app.ini) and its SQLite database.

Because the attacker controls the restored app.ini file, they can inject an arbitrary operating system command into the TestConfigCmd setting. When the application restarts to apply the restored configuration, a follow-up request triggers the execution of this command with the privileges of the user running nginx-ui, which is typically root in Docker deployments.

This vulnerability has been fixed in version 2.3.8.

Impact Analysis

This vulnerability can have severe impacts because it allows an unauthenticated remote attacker to execute arbitrary operating system commands with the privileges of the nginx-ui process user, often root in Docker environments.

Such command execution can lead to full system compromise, unauthorized access, data manipulation, or destruction, and potentially allow the attacker to control the affected server.

Mitigation Strategies

To mitigate this vulnerability, upgrade nginx-ui to version 2.3.8 or later, where the issue has been patched.

Avoid using fresh installations of nginx-ui versions prior to 2.3.8 without applying the update, especially within the first 10 minutes after process startup.

If upgrading immediately is not possible, restrict network access to the nginx-ui service during the vulnerable window after startup to prevent unauthenticated access to the backup restore endpoint.

Compliance Impact

CVE-2026-42238 allows unauthenticated remote attackers to execute arbitrary OS commands with root privileges by exploiting a backup restore endpoint in nginx-ui. This can lead to unauthorized access and modification of sensitive data and system configurations.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over access to sensitive data and system integrity.

Because the vulnerability allows full system access and arbitrary configuration changes, it increases the risk of data exposure, loss of data integrity, and denial of service, all of which are critical concerns under these regulations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42238. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart