← Back
2026-06-08 19:28CVE-2026-40519VulnCheck
PUBLISHED5.2CWE-78x_open-source

Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

Problem type

Affected products

NginxProxyManager

nginx-proxy-manager

<= 2.15.1 - AFFECTED

a5db5ed156355e3088e7d1ceb0533d4bae922def - UNAFFECTED

References

github.com

https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5498

issue-tracking
github.com

https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a5db5ed156355e3088e7d1ceb0533d4bae922def

patch
vulncheck.com

https://www.vulncheck.com/advisories/nginx-proxy-manager-authenticated-rce-via-setupcertbotplugins

third-party-advisory

JSON source

https://cveawg.mitre.org/api/cve/CVE-2026-40519
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2026-40519",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-06-08T19:28:51.872Z",
    "dateReserved": "2026-04-13T20:29:02.809Z",
    "datePublished": "2026-06-08T19:28:51.872Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-06-08T19:28:51.872Z"
      },
      "datePublic": "2026-04-19T00:00:00.000Z",
      "title": "Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()",
      "descriptions": [
        {
          "lang": "en",
          "value": "Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart."
        }
      ],
      "affected": [
        {
          "vendor": "NginxProxyManager",
          "product": "nginx-proxy-manager",
          "repo": "https://github.com/NginxProxyManager/nginx-proxy-manager",
          "defaultStatus": "affected",
          "versions": [
            {
              "version": "2.9.14",
              "status": "affected",
              "versionType": "semver",
              "lessThanOrEqual": "2.15.1"
            },
            {
              "version": "a5db5ed156355e3088e7d1ceb0533d4bae922def",
              "status": "unaffected",
              "versionType": "git"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
              "cweId": "CWE-78",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5498",
          "tags": [
            "issue-tracking"
          ]
        },
        {
          "url": "https://github.com/NginxProxyManager/nginx-proxy-manager/commit/a5db5ed156355e3088e7d1ceb0533d4bae922def",
          "tags": [
            "patch"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/nginx-proxy-manager-authenticated-rce-via-setupcertbotplugins",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ],
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "attackVector": "NETWORK",
            "attackComplexity": "HIGH",
            "privilegesRequired": "LOW",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Yassine Damiri",
          "type": "finder"
        }
      ],
      "tags": [
        "x_open-source"
      ]
    }
  }
}