HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-40519Published Modified CNA VulnCheck

CVE-2026-40519: Nginx Proxy Manager Authenticated RCE via setupCertbotPlugins()

Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.

Metrics

CVSS v4.0
7.7
Severity
HIGH
Fixed in
a5db5ed156355e3088e7d1ceb0533d4bae922def
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an OS command injection vulnerability (a form of authenticated remote code execution) in Nginx Proxy Manager versions 2.9.14 through 2.15.1. An attacker who holds the certificates:manage permission can store a malicious payload in the dns_provider_credentials field; when the backend restarts, that payload is interpolated unsanitized into a shell command executed via Node.js child_process.exec(), causing arbitrary OS commands to run on the host. Successful exploitation gives the attacker full read, write, and availability impact on the affected container. A patched-image rebuild at commit a5db5ed156355e3088e7d1ceb0533d4bae922def is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all scanned images, including custom-built images derived from nginx-proxy-manager base layers. Any image carrying an affected version (2.9.14 through 2.15.1) is flagged automatically in both registry scans and CI pipeline checks.

Available
Triage

HarborGuard scores this finding at CVSS 4.0 7.7 (HIGH) and surfaces it in each customer org's triage queue, weighted against that org's compliance policy (for example, stricter policies for internet-exposed proxy workloads will elevate its routing priority). The finding is routed to the inbox or ticket queue configured for the owning team within each customer environment.

Available
Patch

A patched-image rebuild pinned to commit a5db5ed156355e3088e7d1ceb0533d4bae922def is available on HarborGuard for any environment running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads; for HIGH-severity issues, median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Nginx Proxy Manager web interface over the network to authenticate and submit the malicious payload.

  • AuthenticationRequired

    A low-privilege account holding the certificates:manage permission is sufficient; no admin credentials are needed.

  • Victim interactionNot required

    No victim interaction is required; the injected command executes automatically when the backend process restarts.

  • Attack complexityDetail

    Base exploit logic is straightforward and condition-free, though the CVSS vector notes an attack prerequisite (AT:P) meaning specific backend restart timing or a triggerable restart condition must be in place for the payload to execute.

Blast Radius

  • The attacker executes arbitrary OS commands as the process user inside the Nginx Proxy Manager container, enabling full read access to files on the container filesystem including stored credentials and TLS private keys.
  • The attacker can write or overwrite files on the container filesystem, allowing persistent backdoor installation or configuration tampering that survives image restarts.
  • The attacker can crash or disrupt the proxy service, interrupting routing for all traffic flowing through the affected Nginx Proxy Manager instance.
  • Because the injected command runs in the container process context, any secrets or environment variables mounted into that container (API keys, database passwords, cloud provider tokens) are exposed to direct exfiltration.

How HarborGuard Handles This

Available on HarborGuard: detection fires within minutes of advisory ingestion for any scanned image on versions 2.9.14 through 2.15.1, including custom images built on top of upstream nginx-proxy-manager layers. A rebuild pinned to the fix commit (a5db5ed156355e3088e7d1ceb0533d4bae922def) is available immediately. Where compliance policy permits auto-remediation, HarborGuard rebuilds the image, runs regression tests, and opens a pull request against affected workloads; for HIGH-severity issues, median time to a merged patch PR is around 90 minutes. For environments where auto-remediation is not enabled, the recommended manual steps are: update to a build at or after commit a5db5ed, restrict the certificates:manage permission to the smallest possible set of accounts, and consider placing the Nginx Proxy Manager admin interface behind a network policy that limits inbound access to trusted management hosts only.

See how HarborGuard automates this

Fix available

a5db5ed156355e3088e7d1ceb0533d4bae922def
Patch commits
Affected packages
  • NginxProxyManager / nginx-proxy-manager
    ≤ 2.15.1
    Fixed in a5db5ed156355e3088e7d1ceb0533d4bae922def
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References