CVE-2026-42221
Published: 04 May 2026
Description
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The…
more
public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.
Auditing sessions makes it possible to detect access to critical functions without required authentication.
The assessment process confirms authentication is present and effective for critical functions, preventing exploitation from missing authentication.
Certification assesses that critical functions have required authentication controls in place.
Disabling non-essential functions and services eliminates the need to secure them, reducing exposure from missing authentication on unnecessary components.
Security SummaryAI
CVE-2026-42221 affects Nginx UI, a web user interface for the Nginx web server, in versions from 2.0.0 up to but not including 2.3.8. The vulnerability stems from the public /api/install endpoint being reachable without authentication during the first-run setup window on a fresh instance. While the request-encryption flow protects payload confidentiality in transit, it fails to authenticate who is permitted to perform the installation, enabling an unauthenticated network attacker to claim the initial administrator account by setting the admin email, username, and password.
A remote, unauthenticated attacker can exploit this during the initial setup phase by reaching the service before the legitimate operator, resulting in permanent takeover of the instance. The attack requires racing the legitimate user to the endpoint, aligning with the CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-306 (Missing Authentication for Critical Function), granting high-impact confidentiality, integrity, and availability compromise without privileges or user interaction.
The issue has been addressed in Nginx UI version 2.3.8. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-h27v-ph7w-m9fp) and the v2.3.8 release notes.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to /api/install on public-facing Nginx UI directly enables T1190 (Exploit Public-Facing Application) for initial admin account creation (T1136.001 Local Account) during first-run setup.