CVE-2026-42221

nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

CVSS 8.1 HIGHEPSS 0.3%CWE-306

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

0xJacky · nginx-ui

public PoCs found — 1

githubgithub.com/fuchiuebusi-lab/nginx-ui-CVE-2026-42221-CVE-2026-42238-★ 0

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8 https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h27v-ph7w-m9fp