CVE-2026-42238

Name of the Vulnerable Software and Affected Versions nginx-ui versions prior to 2.3.8

Description An authentication bypass exists in the backup restore functionality. During the first 10 minutes after a fresh installation or any process restart, the 'POST /api/restore' endpoint is completely unauthenticated. A remote attacker can exploit this window to upload a crafted backup archive that overwrites the application's configuration file app.ini and the SQLite database. By controlling the app.ini file, the attacker can inject arbitrary OS commands into the TestConfigCmd variable. Once the application restarts to apply the configuration, a subsequent request triggers the execution of the injected command with the privileges of the user running nginx-ui, which is typically root in Docker deployments.

Recommendations Update to version 2.3.8 or later. As a temporary workaround, restrict network access to the nginx-ui port (default 9000/tcp) to trusted IP addresses only to prevent unauthorized access to the restore endpoint.