CVE-2026-42221: Nginx UI Admin Takeover Vulnerability
The National Vulnerability Database has detailed CVE-2026-42221, a high-severity vulnerability affecting Nginx UI versions 2.0.0 through 2.3.7. This flaw permits an unauthenticated network attacker to seize the initial administrator account on a fresh Nginx UI instance. The critical issue lies within the /api/install endpoint, which is publicly accessible without authentication. While request encryption protects data in transit, it fails to authenticate who is permitted to perform the installation.
A remote attacker who reaches the Nginx UI service before the legitimate operator can set the administrative email, username, and password. This results in a permanent initial-instance takeover, granting the attacker full control over the Nginx UI. The CVSSv3.1 score of 8.1 (HIGH) underscores the severity, with a vector of AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, highlighting network accessibility and high impact on confidentiality, integrity, and availability.
This vulnerability is a classic case of CWE-306 (Missing Authentication for Critical Function). It has been patched in Nginx UI version 2.3.8. Defenders must prioritize patching to prevent unauthorized administrative control. The attacker’s calculus here is simple: race the legitimate administrator to the setup endpoint. Once compromised, they own the Nginx UI, potentially leading to further network compromise or data manipulation.
What This Means For You
- If your organization uses Nginx UI, immediately verify your version. If it's between 2.0.0 and 2.3.7, patch to version 2.3.8 or later without delay. If you've recently deployed Nginx UI, assume potential compromise and audit logs for any unauthorized administrator account creation prior to your own setup. This isn't theoretical; an unauthenticated attacker can take over your Nginx UI instance before you even get a chance to configure it.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42221: Nginx UI Initial Admin Takeover via /api/install
title: CVE-2026-42221: Nginx UI Initial Admin Takeover via /api/install
id: scw-2026-05-04-ai-1
status: experimental
level: critical
description: |
Detects the initial access vector for CVE-2026-42221. An unauthenticated attacker can exploit the /api/install endpoint in vulnerable versions of Nginx UI (2.0.0 to < 2.3.8) to claim the administrator account during the first-run setup. This rule specifically looks for POST requests to the /api/install path, which is the entry point for this vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-04
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42221/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri: '/api/install'
cs-method: 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42221 | Auth Bypass | Nginx UI versions 2.0.0 to 2.3.7 |
| CVE-2026-42221 | Auth Bypass | Unauthenticated access to /api/install endpoint |
| CVE-2026-42221 | Misconfiguration | Initial administrator account takeover during first-run setup |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 00:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
Amazon WorkSpaces Escalation: Local User to SYSTEM via Log Rotation
CVE-2026-7791 — Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service in Amazon WorkSpaces for Windows before 2.6.2034.0 allows a...
CVE-2026-7780 — Denial of Service
CVE-2026-7780 — A weakness has been identified in Open5GS up to 2.7.7. Affected by this vulnerability is the function udm_state_operational of the file /src/udm/udm-sm.c of...
CVE-2026-7776: Boundary Workers Vulnerable to DoS During TLS Handshakes
CVE-2026-7776 — Boundary Community Edition and Boundary Enterprise (“Boundary”) workers are vulnerable to a denial-of-service condition during node enrollment TLS handshakes. An attacker with network...