CVE-2026-42222
Published: 04 May 2026
Description
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions.
Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions.
Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems.
Provides a tamperproof, always-invoked, and verifiable mechanism to enforce access control policies.
Provides capability to review session content, directly detecting violations of access control.
Control assessments verify that access controls are implemented correctly and operating as intended, detecting improper access control before exploitation.
Certification requires independent assessment confirming access controls are implemented correctly and effective.
Restricting available functions and services reduces the attack surface and enforces proper access control boundaries.
Security SummaryAI
CVE-2026-42222 is an unauthenticated bootstrap takeover vulnerability in Nginx UI version 2.3.5, a web user interface for the Nginx web server. The issue arises during the initial installation window and is exposed through the POST /api/install endpoint, enabling improper access control as classified under CWE-284 (Improper Access Control) and CWE-306 (Missing Authentication for Critical Function). The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Remote attackers with network access can exploit this vulnerability without requiring user privileges or interaction, though it demands high attack complexity. Exploitation allows attackers to hijack the bootstrap process during initial setup, achieving high confidentiality, integrity, and availability impacts, effectively compromising the Nginx UI instance.
The GitHub security advisory (GHSA-mxqh-q9h6-v8pq) confirms that, at the time of publication on 2026-05-04, no public patches are available for this vulnerability.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of the public-facing Nginx UI /api/install endpoint during bootstrap directly enables initial access via T1190 Exploit Public-Facing Application.