Nginx UI Unauthenticated Initial Admin Claim Vulnerability

A vulnerability in Nginx UI versions 2.0.0 prior to 2.3.8 allows an unauthenticated network attacker to take over the initial administrator account on a new Nginx UI instance during the first-run setup. The public /api/install endpoint can be accessed without authentication, and while the request-encryption process protects payload confidentiality in transit, it does not verify who is authorized to perform the installation. An attacker who accesses the service before the legitimate operator can manipulate the admin email, username, and password, leading to permanent takeover of the initial admin account. This vulnerability has been patched in version 2.3.8.

Impact

Exploitation of this vulnerability allows for authentication bypass and unauthorized claiming of the initial admin account, giving the attacker full control over the Nginx UI application. This could result in unauthorized changes to Nginx configurations, misuse of certificate management, disruption of services, and broader operational control over the managed environment.

Reproduction

To reproduce this vulnerability, access a fresh Nginx UI instance that has not yet been set up. The /api/install endpoint can be reached without authentication. Once the endpoint is accessed, the instance will indicate that it is not locked and has not timed out, confirming that the installation process is open. An unauthenticated POST request can then be sent to the /api/install endpoint, claiming the initial admin account by overwriting user ID 1 with an attacker-controlled username and password. This can be verified by checking the application's database, where the admin account details will reflect the changes made by the attacker.

Remediation

Users can update to Nginx UI version 2.3.8 or later, where this vulnerability has been fixed.