Server-Side Request Forgery Vulnerability in Nginx UI by Nginx
CVE-2026-44015

8.5HIGH

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-44015?

The Nginx UI web interface, up to version 2.3.4, is susceptible to a Server-Side Request Forgery (SSRF) attack. An authenticated user can exploit this vulnerability by creating a cluster node that directs to any internal URL. By sending API requests with the X-Node-ID header, the Proxy middleware forwards these requests to the specified internal addresses. This process allows attackers to bypass network segmentation protocols and gain access to sensitive services limited to localhost or internal networks.

Affected Version(s)

nginx-ui <= 2.3.4

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
May 4, 2026

CVE-2026-44015 Data

JSON

0xjacky

What is CVE-2026-44015?

Affected Version(s)

References

CVSS V3.1

Timeline