CVE-2026-40519: Nginx Proxy Manager Remote Code Execution via Command Injection
Nginx Proxy Manager contains a flaw that allows authenticated users with certificate management permissions to run arbitrary commands on the server by injecting malicious code into a certificate credential field. When the application restarts, the injected commands execute automatically, giving attackers the ability to take control of the system. Versions 2.9.14 through 2.15.1 are affected; the issue has been patched in a specific code commit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-08 / 2026-07-14
NVD description (verbatim)
Nginx Proxy Manager versions 2.9.14 through 2.15.1, fixed in commit a5db5ed, contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function in backend/setup.js, allowing attackers with certificates:manage permission to execute arbitrary commands by storing a malicious payload in the dns_provider_credentials field. The user-controlled dns_provider_credentials value is interpolated directly into a shell command executed via child_process.exec() without sanitization or escaping, causing the injected command to execute upon backend restart.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-40519 is an authenticated remote code execution vulnerability stemming from OS command injection in the setupCertbotPlugins() function located in backend/setup.js. The vulnerability arises because user-supplied data from the dns_provider_credentials field is interpolated directly into a shell command without sanitization or escaping before being executed via child_process.exec(). An attacker who possesses the certificates:manage permission can craft a malicious payload in this field; upon backend restart, the payload executes with the privileges of the Nginx Proxy Manager process. The affected version range spans 2.9.14 through 2.15.1, with remediation available in commit a5db5ed.
Business impact
Successful exploitation grants an authenticated insider or compromised administrator account the ability to execute arbitrary code on the Nginx Proxy Manager host. This can lead to full server compromise, data exfiltration, lateral movement to other systems on the network, deployment of persistent backdoors, or disruption of proxy services. Organizations relying on Nginx Proxy Manager for SSL/TLS termination and request routing face potential service unavailability and breach of encrypted traffic intended for inspection or logging.
Affected systems
Nginx Proxy Manager versions 2.9.14 through 2.15.1 are vulnerable. Users must verify their installed version and apply the patch from commit a5db5ed or upgrade to a version incorporating that commit. The vulnerability requires that an attacker either be a legitimate user with certificates:manage permission or that such credentials have been compromised.
Exploitability
Exploitation requires prior authentication and the certificates:manage permission, which significantly restricts the attack surface. However, once those prerequisites are met, the attack is straightforward: inject a payload into the dns_provider_credentials field and restart the backend service. The CVSS vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects that network access is possible but attack complexity is high, authentication is mandatory, and no user interaction is needed for execution. In environments where certificate administrators are trusted or where credentials are poorly managed, this becomes a meaningful risk.
Remediation
Apply the patch available in commit a5db5ed to Nginx Proxy Manager. Users should identify all instances running versions 2.9.14 through 2.15.1 and prioritize updates. In parallel, audit which users and service accounts hold the certificates:manage permission and apply the principle of least privilege to restrict this role. Review logs for any suspicious certificate management activity or backend restart patterns that might indicate prior exploitation.
Patch guidance
Verify the specific patch version or commit hash a5db5ed against the official Nginx Proxy Manager repository and apply it to your deployment. Follow the project's standard update procedures, which typically include backing up configuration, testing in a non-production environment, and scheduling the update during a maintenance window because backend restart is required for the patch to take effect and for any injected payloads to be neutralized.
Detection guidance
Monitor for dns_provider_credentials entries containing shell metacharacters or command sequences (backticks, $(), &&, |, ;, etc.) in configuration or audit logs. Log and alert on backend restart events, particularly those initiated shortly after certificate credential modifications. Network intrusion detection should look for unusual process execution spawned by the Nginx Proxy Manager process, especially commands indicative of reconnaissance, privilege escalation, or lateral movement. Review audit trails for certificate:manage permission assignments and any access by unexpected principals.
Why prioritize this
While the attack requires prior authentication, the impact is severe—unauthenticated remote code execution on the proxy host—and the attack vector is simple once credentials are obtained. The HIGH CVSS score (7.5) and the prevalence of Nginx Proxy Manager in production SSL/TLS infrastructure make this a priority for organizations using affected versions. Internal credential compromise or insider threats pose a non-trivial risk in many environments.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) balances the requirement for authentication and elevated permissions (PR:L, AC:H) against the severe confidentiality, integrity, and availability impact (C:H/I:H/A:H). The high complexity factor reflects that the attacker must know or guess the structure of the vulnerability and ensure backend restart occurs, but these are not substantial barriers in typical operational environments. The HIGH severity reflects realistic exploitability if an attacker already possesses or can compromise a certificate manager account.
Frequently asked questions
Do we need to restart Nginx Proxy Manager for the patch to take effect?
Yes. The vulnerability is triggered upon backend restart, so existing injected payloads will execute when the service is restarted. Applying the patch prevents new payloads from executing on subsequent restarts. You should apply the patch and schedule a planned restart to ensure no malicious payloads are activated during the update process.
What should we do if we discover suspicious dns_provider_credentials entries?
Immediately review the values in your Nginx Proxy Manager database or configuration files for any containing command injection patterns. If found, treat your system as compromised: audit process logs around the time of injection, check for unauthorized processes, scan for backdoors, and consider forensic analysis. Reset all certificate manager credentials and audit permissions after the incident.
Does this vulnerability affect us if we don't use DNS provider credentials?
The vulnerability exists in the setupCertbotPlugins() function, which relates to ACME DNS challenge automation. If your environment uses HTTP-based ACME challenges or manually manages certificates, the function may still be executed during startup, so the risk is not eliminated. Apply the patch regardless of your certificate strategy.
Are there any workarounds if we cannot patch immediately?
Strict access control is essential: limit the certificates:manage permission to only the minimum required accounts, monitor those accounts closely, and consider temporarily disabling API access for certificate management if feasible. These measures reduce but do not eliminate risk. Patching should be prioritized as soon as operationally possible.
This analysis is provided for informational purposes to assist with vulnerability assessment and remediation planning. It does not constitute professional security advice. No guarantee is made regarding the accuracy or completeness of this information. Organizations must independently verify all patch details, affected version numbers, and patch version identifiers against official vendor advisories before deploying changes. SEC.co and its analysts assume no liability for actions taken or omitted based on this intelligence. Always follow your organization's change management and testing protocols before applying security patches. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability