CVE-2026-40519
Received Received - Intake
Authenticated RCE via OS Command Injection in Nginx Proxy Manager

Publication date: 2026-06-08

Last updated on: 2026-06-08

Assigner: VulnCheck

Description
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-08
Last Modified
2026-06-08
Generated
2026-06-09
AI Q&A
2026-06-08
EPSS Evaluated
N/A
NVD
CVE-2026-40519
EUVD
EUVD-2026-35196
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginx_proxy_manager nginx_proxy_manager From 2.9.14 (inc) to 2.15.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-40519 is an authenticated remote code execution (RCE) vulnerability in Nginx Proxy Manager versions 2.9.14 through 2.15.1. It occurs in the setupCertbotPlugins() function within backend/setup.js, where the dns_provider_credentials field is used without proper sanitization or escaping. Attackers with certificates:manage permission can inject malicious OS commands into this field, which are then executed via child_process.exec() when the backend restarts.

The vulnerability arises because the user-controlled dns_provider_credentials value is interpolated directly into a shell command, allowing command injection. Attempts to fix the issue by escaping single quotes were insufficient. The final fix replaced shell command execution with direct file operations using Node.js's fs/promises module, eliminating the risk of command injection.

Impact Analysis

This vulnerability allows an attacker with certificates:manage permission to execute arbitrary OS commands on the backend server running Nginx Proxy Manager. This can lead to full system compromise, data theft, service disruption, or further attacks within the environment.

The risk is especially high in Docker deployments where the backend runs as root and credentials files are not persisted, making exploitation reliable and potentially more damaging.

Detection Guidance

This vulnerability can be detected by checking if your Nginx Proxy Manager installation is running a vulnerable version between 2.9.14 and 2.15.1. Since the issue involves an authenticated remote code execution via the dns_provider_credentials field, detection involves verifying if any malicious payloads have been injected into this field.

You can inspect the backend setup.js file or logs for suspicious commands executed during backend restarts, especially those involving the dns_provider_credentials field.

Specific commands to detect exploitation attempts are not provided in the resources, but general steps include:

  • Check the version of Nginx Proxy Manager: `nginxproxymanager --version` or check the installed package version.
  • Audit the dns_provider_credentials field in your configuration or database for unexpected or suspicious content.
  • Review backend logs for command execution traces or errors related to setupCertbotPlugins.
Mitigation Strategies

The immediate mitigation step is to upgrade Nginx Proxy Manager to a version that includes the fix for CVE-2026-40519, which was implemented in commit a5db5ed.

The fix involves replacing the vulnerable shell command execution with direct file operations using Node.js's fs/promises module, eliminating the risk of command injection.

If upgrading immediately is not possible, restrict access to users with the certificates:manage permission and audit the dns_provider_credentials field to prevent injection of malicious payloads.

Additionally, consider monitoring backend restarts and logs for suspicious activity and avoid running the backend with elevated privileges where possible.

Compliance Impact

The provided context and resources do not explicitly discuss the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40519. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart