SB2026042135 - Multiple vulnerabilities in nginx-ui



SB2026042135 - Multiple vulnerabilities in nginx-ui

Published: April 21, 2026 Updated: April 23, 2026

Security Bulletin ID SB2026042135
CSH Severity
High
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Origin validation error (CVE-ID: CVE-2026-34403)

CWE-ID: CWE-346 - Origin Validation Error

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber


The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the Cross-Site WebSocket Hijacking (CSWSH) issue within missing origin validation on all WebSocket endpoints. A remote attacker can gain access to sensitive information on the system, leading to arbitrary code execution.


2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-44015)

CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to access internal services and disclose sensitive information.

The vulnerability exists due to server-side request forgery (SSRF) in the Proxy middleware when handling API requests with an attacker-controlled X-Node-ID header that references a crafted cluster node. A remote user can create a cluster node pointing to an arbitrary internal URL and send crafted API requests to access internal services and disclose sensitive information.

The issue can be used to reach localhost, private network services, and cloud metadata endpoints.


Remediation

Install update from vendor's website.