Security Advisory - Published 2026-06-08 - Nginx Proxy Manager
Nginx Proxy Manager CVE-2026-40519: Authenticated RCE Self-Check
CVE-2026-40519 tracks an authenticated command injection issue in Nginx Proxy
Manager's certificate plugin setup flow. The alert maps the vulnerable path to
backend/setup.js and setupCertbotPlugins(), where DNS
provider credentials were written through a shell command. The upstream fix changes
that path to filesystem APIs.
Who is affected
- Product: Nginx Proxy Manager
- CVE: CVE-2026-40519
- Reported affected range: 2.9.14 through 2.15.1 in the current alert feed
- Vulnerable area: Let's Encrypt DNS provider credential handling
- Permission needed: certificates management access
- Fix signal: upstream commit
a5db5edreplaces shell command writing with filesystem calls
10-minute self-check
Step 1: Find the running container and image
docker ps --format 'table {{.Names}}\t{{.Image}}\t{{.Ports}}' | grep -i 'nginx.*proxy' If Nginx Proxy Manager is reachable from the public internet, lock down the admin UI before doing anything else. The proxy ports can stay public; the admin port should not be open to everyone.
Step 2: Check the installed version
docker exec <container> sh -lc "node -p \"require('/app/package.json').version\" 2>/dev/null || grep '\"version\"' /app/package.json" If the version falls in the affected range and you use DNS challenge certificates, treat the instance as exposed until you confirm the image includes the upstream fix.
Step 3: Review who can manage certificates
- Remove certificate management permission from users who do not need it.
- Disable stale admin accounts and shared agency accounts.
- Rotate passwords for any account that used the admin UI from an untrusted device.
- Check whether API keys or saved browser sessions could still access the panel.
Step 4: Inspect DNS provider credential use
You do not need to print secrets into chat or tickets. Confirm whether the instance used Let's Encrypt DNS challenge plugins and whether credential files were recently changed.
docker exec <container> sh -lc "ls -la /etc/letsencrypt/credentials 2>/dev/null"
docker exec <container> sh -lc "find /etc/letsencrypt/credentials -type f -mtime -14 -ls 2>/dev/null" Safe fix path
- Update Nginx Proxy Manager. Pull a fixed image or build that includes commit
a5db5ed. - Restart the container. Confirm the running image changed after the update.
- Restrict the admin UI. Put it behind VPN, a private IP allowlist, or a zero-trust access layer.
- Rotate DNS provider tokens. Rotate tokens used for certificate DNS challenges, especially if certificate admins were not tightly controlled.
- Review logs. Check certificate changes, account activity, container restarts, and reverse proxy host changes.
Signs that need deeper review
- Unknown users with certificate management permission.
- New or modified DNS challenge credentials.
- Unexpected certificate issuance or failed certificate plugin installs.
- Admin UI logins from unfamiliar networks.
- Proxy hosts changed to new upstream targets without a ticket or change note.
Ping7 repair path
Ping7 can review the Nginx Proxy Manager version, admin exposure, certificate permissions, DNS challenge credentials, and logs. Start from CVE Repair and include the container image tag, admin port exposure, and whether DNS challenge certificates are used.