CVE-2026-42221
Published: 04 May 2026
Summary
CVE-2026-42221 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 explicitly identifies and limits actions performable without authentication, directly mitigating the exposure of the unauthenticated /api/install endpoint during initial setup.
SC-14 requires protections for public web interfaces against unauthorized access or modification, addressing the publicly reachable /api/install endpoint vulnerable to remote takeover.
AC-3 mandates enforcement of access authorizations on system resources, preventing unauthenticated attackers from completing the admin account claim via the /api/install endpoint.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to /api/install on public-facing Nginx UI directly enables T1190 (Exploit Public-Facing Application) for initial admin account creation (T1136.001 Local Account) during first-run setup.
NVD Description
Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The…
more
public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover. This issue has been patched in version 2.3.8.
Deeper analysisAI
CVE-2026-42221 affects Nginx UI, a web user interface for the Nginx web server, in versions from 2.0.0 up to but not including 2.3.8. The vulnerability stems from the public /api/install endpoint being reachable without authentication during the first-run setup window on a fresh instance. While the request-encryption flow protects payload confidentiality in transit, it fails to authenticate who is permitted to perform the installation, enabling an unauthenticated network attacker to claim the initial administrator account by setting the admin email, username, and password.
A remote, unauthenticated attacker can exploit this during the initial setup phase by reaching the service before the legitimate operator, resulting in permanent takeover of the instance. The attack requires racing the legitimate user to the endpoint, aligning with the CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and CWE-306 (Missing Authentication for Critical Function), granting high-impact confidentiality, integrity, and availability compromise without privileges or user interaction.
The issue has been addressed in Nginx UI version 2.3.8. Security practitioners should upgrade to this patched release, as detailed in the GitHub security advisory (GHSA-h27v-ph7w-m9fp) and the v2.3.8 release notes.
Details
- CWE(s)