Cyber Resilience

CVE-2026-44015

HighPublic PoC

Published: 12 May 2026

Published
12 May 2026
Modified
14 May 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
EPSS Score 0.0032 23.6th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44015 is a high-severity SSRF (CWE-918) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Nginx UI is a web user interface for the Nginx web server. In 2.3.4 and earlier, an authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API…

more

requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SSRF in internet-facing Nginx UI web application directly enables exploitation of a public-facing app (T1190) to reach internal services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42222Same product: Nginxui Nginx Ui
CVE-2026-34403Same product: Nginxui Nginx Ui
CVE-2026-33026Same product: Nginxui Nginx Ui
CVE-2026-27944Same product: Nginxui Nginx Ui
CVE-2026-42221Same product: Nginxui Nginx Ui
CVE-2026-42238Same product: Nginxui Nginx Ui
CVE-2026-33032Same product: Nginxui Nginx Ui
CVE-2026-33031Same product: Nginxui Nginx Ui
CVE-2026-33030Same product: Nginxui Nginx Ui
CVE-2026-33028Same product: Nginxui Nginx Ui

Affected Assets

nginxui
nginx ui
≤ 2.3.4

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-918

Penetration testing attempts server-side requests to internal resources, identifying SSRF weaknesses for remediation.

addresses: CWE-918

Outbound connections to external resources can be monitored and limited at the boundary, reducing SSRF impact.

addresses: CWE-918

Validates server-side URLs and resource references to block SSRF attempts.

addresses: CWE-918

Detects server-side request forgery through monitoring of unexpected outbound connections.

References