LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-42238

CVE-2026-42238 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: May 6, 2026

Nginx UI - Command Injection

Published: May 4, 2026Updated: May 6, 2026PoC AvailableRemote Exploitable

Overview

Nginx UI < 2.3.8 contains a command injection caused by unauthenticated access to the backup restore endpoint allowing crafted backup upload, letting remote attackers execute arbitrary OS commands as the nginx-ui user, exploit requires fresh installation within 10 minutes of startup.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Remote attackers can execute arbitrary OS commands as the nginx-ui user, potentially gaining full system control.

Mitigation

Upgrade to version 2.3.8 or later.

References

Social Media Activity(2 posts)

BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Apr 30, 2026

Nginx UI Patches Critical RCE and Admin Takeover Vulnerabilities Nginx UI released version 2.3.8 to patch four vulnerabilities, including a critical unauthenticated remote code execution flaw (CVE-2026-42238) and multiple high-severity setup takeover issues. These flaws allow attackers to gain full administrative control, execute arbitrary commands, and steal sensitive configuration secrets. **If you are running Nginx UI, if possible make sure the management interface is isolated from the internet and accessible only from trusted networks or via VPN. Update to version 2.3.8 ASAP and rotate all secrets (JWT keys, node secrets, API keys) since older versions are vulnerable during every restart.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/nginx-ui-patches-critical-rce-and-admin-takeover-vulnerabilities-g-c-d-t-6/gD2P6Ple2L

View original post
BeyondMachines :verified:
BeyondMachines :verified:
@beyondmachines1
Apr 30, 2026

Nginx UI Patches Critical RCE and Admin Takeover Vulnerabilities Nginx UI released version 2.3.8 to patch four vulnerabilities, including a critical unauthenticated remote code execution flaw (CVE-2026-42238) and multiple high-severity setup takeover issues. These flaws allow attackers to gain full administrative control, execute arbitrary commands, and steal sensitive configuration secrets. **If you are running Nginx UI, if possible make sure the management interface is isolated from the internet and accessible only from trusted networks or via VPN. Update to version 2.3.8 ASAP and rotate all secrets (JWT keys, node secrets, API keys) since older versions are vulnerable during every restart.** #cybersecurity #infosec #advisory #vulnerability https://beyondmachines.net/event_details/nginx-ui-patches-critical-rce-and-admin-takeover-vulnerabilities-g-c-d-t-6/gD2P6Ple2L

View original post

Related Resources

Details

CVE ID
CVE-2026-42238
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
confirmed
EPSS
0.0%
Social Posts
2

CWE

  • CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days