CVE-2026-44015: Nginx UI SSRF Bypasses Network Segmentation

/HIGH /CVSS 8.5/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityserver-side-request-forgerycwe-918
CVE-2026-44015: Nginx UI SSRF Bypasses Network Segmentation

The National Vulnerability Database has disclosed CVE-2026-44015, a high-severity Server-Side Request Forgery (SSRF) vulnerability in Nginx UI versions 2.3.4 and earlier. This flaw allows an authenticated user to craft a malicious cluster node pointing to an arbitrary internal URL. Subsequently, API requests sent with a specific X-Node-ID header are forwarded by the Proxy middleware to the attacker-specified internal address.

This is a critical bypass. It means an attacker, once authenticated, can circumvent network segmentation controls. They can access services typically bound to localhost or other internal networks that should be isolated. The CVSSv3.1 score of 8.5 (High) reflects the significant impact on confidentiality (High) and the ease of exploitation (Low Privileges, Network Attack Vector).

For defenders, this is a clear warning that even authenticated access to administrative interfaces like Nginx UI can lead to deep internal network penetration. The attacker’s calculus here is simple: leverage a trusted, internal-facing application to pivot deeper into the infrastructure, bypassing perimeter defenses and internal network controls. This isn’t just about data exfiltration; it’s about establishing a foothold for further lateral movement and privilege escalation within the network.

What This Means For You

  • If your organization uses Nginx UI, immediately verify your version. Patch to a remediated version beyond 2.3.4 as soon as possible. Audit internal network logs for unusual connections originating from your Nginx UI instances to internal services that should not be directly exposed. This vulnerability allows authenticated users to effectively become an internal network scanner and access point.

Related ATT&CK Techniques

T1071.001 Web Protocols Lateral Movement T1526 Internal Spearphishing Initial Access T1190 Exploit Public-Facing Application Initial Access

🛡️ Detection Rules

3 rules · 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-44015: Nginx UI SSRF to Internal Services

Sigma YAML — free preview 
title: CVE-2026-44015: Nginx UI SSRF to Internal Services
id: scw-2026-05-12-ai-1
status: experimental
level: high
description: |
  Detects the specific API endpoint and method used in CVE-2026-44015 to initiate SSRF attacks. This rule targets the creation of a cluster node pointing to an arbitrary internal URL, which is the core mechanism of the vulnerability. By monitoring requests to '/api/clusters/nodes' with the POST method, this rule aims to identify the initial exploitation attempt.
author: SCW Feed Engine (AI-generated)
date: 2026-05-12
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-44015/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: proxy
detection:
  selection:
      cs-uri|contains:
          - '/api/clusters/nodes'
      cs-method|exact:
          - 'POST'
      condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-44015 SSRF Nginx UI versions 2.3.4 and earlier
CVE-2026-44015 SSRF Authenticated user creating a cluster node pointing to an arbitrary internal URL
CVE-2026-44015 SSRF Sending API requests with the X-Node-ID header to trigger SSRF
CVE-2026-44015 SSRF Proxy middleware forwarding requests to attacker-specified internal address

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 13, 2026 at 01:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Fuji Tellus Driver Grants All Users Kernel R/W: CVE-2026-8108

CVE-2026-8108 — The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions.

vulnerabilityCVEhigh-severitycwe-749
/SCW Vulnerability Desk /HIGH /7.8 /⚑ 2 IOCs /⚙ 3 Sigma

MonsterInsights WordPress Plugin Exposes Google OAuth Tokens

CVE-2026-5371 — The MonsterInsights – Google Analytics Dashboard for WordPress (Website Stats Made Easy) plugin for WordPress is vulnerable to unauthorized access and modification of...

vulnerabilityCVEhigh-severitycwe-862
/SCW Vulnerability Desk /HIGH /7.1 /⚑ 4 IOCs /⚙ 3 Sigma

ChurchCRM CVE-2026-44548: High-Severity CSRF Allows Silent Record Deletion

CVE-2026-44548 — ChurchCRM is an open-source church management system. Prior to 7.3.2, top-level cross-site GET navigation from an attacker-controlled page to FundRaiserDelete.php, PropertyTypeDelete.php, or NoteDelete.php...

vulnerabilityCVEhigh-severitycwe-352cwe-650
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 4 IOCs /⚙ 3 Sigma