Captain99Hook

**Name of the Vulnerable Software and Affected Versions** nginx-ui versions prior to 2.3.8 **Description** An authentication bypass exists in the backup restore functionality. During the first 10 minutes after a fresh installation or any process restart, the 'POST /api/restore' endpoint is completely unauthenticated. A remote attacker can exploit this window to upload a crafted backup archive that overwrites the application's configuration file `app.ini` and the SQLite database. By controlling the `app.ini` file, the attacker can inject arbitrary OS commands into the `TestConfigCmd` variable. Once the application restarts to apply the configuration, a subsequent request triggers the execution of the injected command with the privileges of the user running nginx-ui, which is typically root in Docker deployments. **Recommendations** Update to version 2.3.8 or later. As a temporary workaround, restrict network access to the nginx-ui port (default 9000/tcp) to trusted IP addresses only to prevent unauthorized access to the restore endpoint.