Nginx UI Unauthenticated Bootstrap Takeover Vulnerability

A vulnerability allowing unauthenticated bootstrap takeover has been identified in Nginx UI version 2.3.5. This issue arises during the initial installation phase, when the application is still uninitialized and accessible without authentication. The vulnerability is exploited by sending a POST request to /api/install with attacker-controlled bootstrap data, which includes the application's JWT secret, node secret, certificate email, and initial administrator credentials. This allows an attacker to claim control of the installation before the legitimate operator can intervene. The vulnerability is particularly concerning in environments where Nginx UI is deployed fresh and exposed over the network, as it enables complete administrative control without authentication.

Impact

Exploitation of this vulnerability allows for full administrative control over a fresh Nginx UI instance during the initial setup window. An attacker can define the first administrator account and application secrets, effectively locking the legitimate operator out of the installation.

Reproduction

To reproduce this vulnerability, deploy a fresh Nginx UI v2.3.5 instance using the Docker image 'uozi/nginx-ui' with empty '/etc/nginx' and '/etc/nginx-ui' directories. Once the instance is running, send a POST request to '/api/install' without authentication. The response will indicate that the installation is still uninitialized. After successfully posting the installation data, the installation will be locked, and the attacker can immediately log in as the newly created administrator.

Remediation

No public patches are currently available for this vulnerability. However, it is recommended to remove remote unauthenticated installation as a security boundary, require a local-only or out-of-band bootstrap secret for the installation process, and bind initial setup to trusted local access paths.