CVE-2026-50892
Received Received - Intake
Incorrect Access Control in Nginx Proxy Manager TLS Private Key Exposure

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50892
EUVD
EUVD-2026-36790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginx_proxy_manager nginx_proxy_manager 2.14.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50892 is a vulnerability in Nginx Proxy Manager version 2.14.0 where the certificate download API endpoint improperly exposes private TLS key material.

An authenticated user with certificate read access can exploit this by sending a crafted GET request to the endpoint GET /api/nginx/certificates/:certificate_id/download.

Instead of restricting the download to only public certificate or chain files, the backend packages files from the live certificate directory including the private key file (privkey.pem) in a ZIP archive.

This incorrect access control allows attackers to obtain sensitive private key material that should not be exposed.

Impact Analysis

The vulnerability allows an attacker with certificate read access to obtain the private TLS key material.

With access to the private key, an attacker can impersonate the TLS endpoint, potentially intercepting or decrypting secure communications.

This compromises the confidentiality and integrity of encrypted traffic and requires immediate key rotation for affected certificates to restore security.

Detection Guidance

This vulnerability can be detected by checking if the vulnerable endpoint is accessible and returns private key material. Specifically, an authenticated user with certificate read access can send a crafted GET request to the endpoint /api/nginx/certificates/:certificate_id/download.

A suggested command to test this would be using curl with authentication to attempt downloading the certificate archive:

  • curl -u <username>:<password> -X GET https://<nginx-proxy-manager-host>/api/nginx/certificates/<certificate_id>/download -o cert.zip

If the downloaded ZIP archive contains the private key file (privkey.pem), the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include restricting access to the certificate download endpoint to prevent unauthorized or unnecessary certificate downloads.

Additionally, affected certificates should be considered compromised and require key rotation to prevent impersonation of the TLS endpoint.

Updating or patching Nginx Proxy Manager to a version that fixes this access control issue is also recommended once available.

Compliance Impact

The vulnerability in Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain private TLS key material, which can lead to unauthorized access and impersonation of TLS endpoints.

Exposure of private key material can compromise the confidentiality and integrity of encrypted communications, potentially violating data protection requirements under standards like GDPR and HIPAA.

Such unauthorized access to sensitive cryptographic keys may require organizations to perform key rotation and incident response to maintain compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50892. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart