CVE-2026-42222
Published: 04 May 2026
Summary
CVE-2026-42222 is a high-severity Improper Access Control (CWE-284) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 16.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Explicitly identifies and authorizes only approved actions without identification or authentication, directly preventing unauthenticated bootstrap takeover via the /api/install endpoint.
Enforces approved access authorizations in accordance with policy, mitigating the improper access control (CWE-284) that allows remote attackers to hijack installation.
Requires unique identification and authentication for non-organizational users, blocking exploitation by unauthorized remote attackers lacking privileges.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of the public-facing Nginx UI /api/install endpoint during bootstrap directly enables initial access via T1190 Exploit Public-Facing Application.
NVD Description
Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initial installation window exposed by POST /api/install. At time of publication no public patches are available.
Deeper analysisAI
CVE-2026-42222 is an unauthenticated bootstrap takeover vulnerability in Nginx UI version 2.3.5, a web user interface for the Nginx web server. The issue arises during the initial installation window and is exposed through the POST /api/install endpoint, enabling improper access control as classified under CWE-284 (Improper Access Control) and CWE-306 (Missing Authentication for Critical Function). The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.
Remote attackers with network access can exploit this vulnerability without requiring user privileges or interaction, though it demands high attack complexity. Exploitation allows attackers to hijack the bootstrap process during initial setup, achieving high confidentiality, integrity, and availability impacts, effectively compromising the Nginx UI instance.
The GitHub security advisory (GHSA-mxqh-q9h6-v8pq) confirms that, at the time of publication on 2026-05-04, no public patches are available for this vulnerability.
Details
- CWE(s)