Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-42221 is a critical severity vulnerability with a CVSS score of 9.8. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; it does not authenticate who is allowed to perform installation. A remote attacker who reaches the service before the legitimate operator can set the admin email, username, and password, causing permanent initial-instance takeover.
The vulnerable route is exposed publicly through the main API router. router/routers.go:61-70 mounts system.InitPublicRouter(root) under /api, and api/system/router.go:16-19 registers both GET /api/install and POST /api/install without AuthRequired().
The install handler only checks whether the instance is already installed and whether more than ten minutes have elapsed since startup. api/system/install.go:26-33 treats the instance as uninstalled when JwtSecret is empty and SkipInstallation is false. api/system/install.go:56-69 rejects requests only if installation has already happened or the ten-minute window has expired.
If those checks pass, the unauthenticated caller controls the initialization flow. api/system/install.go:77-81 generates and saves the JWT secret, node secret, and certificate email from attacker-controlled input, and api/system/install.go:93-97 overwrites user ID 1 with the attacker-chosen username and password hash. internal/kernel/init_user.go:15-22 guarantees that privileged user ID 1 exists ahead of time, so there is always an account to claim.
The public-key bootstrap does not add authentication. api/crypto/router.go:5-9 exposes POST /api/crypto/public_key publicly, api/crypto/crypto.go:12-32 returns a server public key to any caller, internal/crypto/crypto.go:44-61 stores a shared keypair in cache, and internal/middleware/encrypted_params.go:25-50 only decrypts before passing the request to the install handler. No request ID, local-only restriction, bootstrap secret, or prior trust check is enforced.
| Vendor | Product |
|---|---|
| Nginxui | Nginx Ui |
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
encrypted_paramsThis was verified locally in an isolated lab instance. A fresh instance returned {"lock":false,"timeout":false}, an unauthenticated POST /api/install returned {"message":"ok"}, the instance then flipped to {"lock":true,"timeout":false}, and the on-disk SQLite database showed user ID 1 renamed to the attacker-controlled username with a non-empty password hash.
The quickest local verification path is the helper script created during validation:
ATTACKER_EMAIL='[email protected]' ATTACKER_USER='attacker' ATTACKER_PASS='Password12345' \
'/Users/r1zzg0d/Documents/CVE hunting/targets/nginx-ui/output/verify/verify_fresh_install_takeover.sh'
Expected proof points:
[1/6] Fresh-instance status:
{
"lock": false,
"timeout": false
}
[3/6] Claiming the initial administrator account...
{
"message": "ok"
}
[4/6] Verifying install is now locked...
{
"lock": true,
"timeout": false
}
[5/6] Verifying the on-disk admin record was overwritten...
{
"id": 1,
"name": "attacker",
"password_len": 60
}
To confirm the final state manually:
sqlite3 '/Users/r1zzg0d/Documents/CVE hunting/targets/nginx-ui/tmp/poc-install-takeover/database.db' \
'select id,name,length(password) from users where id=1;'
Expected output:
1|attacker|60
Manual HTTP reproduction is also straightforward:
GET /api/install and confirm lock=false and timeout=false.POST /api/crypto/public_key to obtain the public RSA key.{"email":"[email protected]","username":"attacker","password":"Password12345"} with that public key and base64-encode the ciphertext.POST /api/install as {"encrypted_params":"..."}.GET /api/install and observe that lock=true.1 now belongs to the attacker-controlled username.This is an authentication bypass / initial admin claim vulnerability affecting fresh, uninitialized instances that are reachable over the network during the installation window. Any attacker able to reach the service before the legitimate operator can permanently take ownership of the first administrator account and thereby seize control of the application. Because nginx-ui is an administrative interface for Nginx and related host-management features, compromise of the initial admin account can lead to unauthorized configuration changes, certificate management abuse, backup manipulation, service disruption, and broader operational takeover of the managed environment.
POST /api/install.