CVE-2026-42221

Name of the Vulnerable Software and Affected Versions Nginx UI versions 2.0.0 through 2.3.7

Description An unauthenticated network attacker can claim the initial administrator account on a fresh instance during the first-run setup window. The public endpoint "/api/install" is accessible without authentication. While the request-encryption flow ensures payload confidentiality during transit, it fails to authenticate the user performing the installation. A remote attacker who accesses the service before the legitimate operator can define the admin email, username, and password, leading to a permanent takeover of the initial instance.

Recommendations Update to version 2.3.8.