SB2026042135 - Multiple vulnerabilities in nginx-ui
Published: April 21, 2026 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 vulnerabilities.
1) Origin validation error (CVE-ID: CVE-2026-34403)
CWE-ID: CWE-346 - Origin Validation Error
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the Cross-Site WebSocket Hijacking (CSWSH) issue within missing origin validation on all WebSocket endpoints. A remote attacker can gain access to sensitive information on the system, leading to arbitrary code execution.
2) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-44015)
CWE-ID: CWE-918 - Server-Side Request Forgery (SSRF)
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:L/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to access internal services and disclose sensitive information.
The vulnerability exists due to server-side request forgery (SSRF) in the Proxy middleware when handling API requests with an attacker-controlled X-Node-ID header that references a crafted cluster node. A remote user can create a cluster node pointing to an arbitrary internal URL and send crafted API requests to access internal services and disclose sensitive information.
The issue can be used to reach localhost, private network services, and cloud metadata endpoints.
Remediation
Install update from vendor's website.