CVE-2026-44015

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.5

Description An authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node that points to an arbitrary internal URL and sending API requests with the X-Node-ID header. The Proxy middleware, specifically within the Proxy() function in internal/middleware/proxy.go, intercepts these requests and forwards them to the specified internal address without validating the node URL. This allows attackers to bypass network segmentation and access services bound to localhost, internal networks, or cloud metadata endpoints. The process involves retrieving the node secret from the '/api/settings' endpoint and creating a malicious node via the '/api/nodes' endpoint.

Recommendations Update to a version later than 2.3.4.