Unauthenticated Remote Code Execution in Nginx UI by 0xJacky
CVE-2026-42238

9CRITICAL

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42238?

Nginx UI, a web user interface designed for the Nginx web server, has a critical flaw where its backup restore functionality remains open to unauthenticated access for the first 10 minutes following a fresh installation. Attackers can upload malicious backup archives that overwrite critical configuration files (app.ini) and the SQLite database. This vulnerability enables an attacker to inject arbitrary OS commands into the application configuration. Once the application restarts to implement the changes, these commands can be executed with the privileges of the user running Nginx UI, often compromising the entire system, especially in Docker environments. Nginx released a patch in version 2.3.8 to resolve this issue.

Affected Version(s)

nginx-ui < 2.3.8

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8

x_refsource_MISC

CVSS V4

Score:

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42238 Data

JSON

0xjacky

What is CVE-2026-42238?

Affected Version(s)

References

CVSS V4

Timeline