CVE-2024-46256
Description
Command injection in NginxProxyManager 2.11.3 requestLetsEncryptSsl allows unauthenticated RCE via crafted DNS provider credentials.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in NginxProxyManager 2.11.3 requestLetsEncryptSsl allows unauthenticated RCE via crafted DNS provider credentials.
Vulnerability
A command injection vulnerability exists in the requestLetsEncryptSsl function of NginxProxyManager version 2.11.3. The flaw resides in backend/internal/certificate.js where DNS provider credentials (dns_provider_credentials) are concatenated into a shell command without proper sanitization. Prior to the fix, the code escaped single quotes and backslashes but still embedded user-supplied credentials directly into a sh -c command string, allowing injection of arbitrary shell metacharacters. The affected code path is triggered when a user requests a Let's Encrypt SSL certificate with a custom DNS provider that requires credentials. No special privileges or configurations beyond default settings are required.
Exploitation
An attacker needs network access to the NginxProxyManager web interface and must be able to authenticate (or use a valid session token) to reach the certificate request feature. The exploit involves sending a malicious request to the /api/nginx/certificates endpoint with crafted dns_provider_credentials containing shell injection payloads. Public proof-of-concept code demonstrates sending a base64-encoded command that downloads a reverse shell payload (e.g., nc), makes it executable, and then connects back to an attacker-controlled host. The injection occurs because the credentials string is interpolated into a sh -c command line that writes the credentials file and sets permissions [1][3][4].
Impact
Successful exploitation results in remote code execution (RCE) as the nginx-proxy-manager process user (typically nobody or similar). An attacker can execute arbitrary operating system commands, potentially leading to full compromise of the application server, including data exfiltration, installation of backdoors, or lateral movement within the network. The vulnerability also enables privilege escalation if the process runs with elevated capabilities or misconfigured container escapes [1][3].
Mitigation
The vulnerability was fixed in NginxProxyManager version 2.12.0, released as part of the merge pull request #4073 on September 9, 2024. The fix replaces the dangerous shell command with safe filesystem operations using fs.writeFileSync and fs.unlink, eliminating the command injection vector. Users are strongly advised to upgrade to v2.12.0 or later. No workaround is available for v2.11.3. The CVE is not listed in the KEV catalog as of the publication date [1][2][3][4].
- v2.12.0 by jc21 · Pull Request #4073 · NginxProxyManager/nginx-proxy-manager
- nginx-proxy-manager/backend/internal/certificate.js at v2.11.3 · NginxProxyManager/nginx-proxy-manager
- Fix command injection when passing bash commands into the dns provide… · NginxProxyManager/nginx-proxy-manager@99cce7e
- GitHub - barttran2k/POC_CVE-2024-46256: POC_CVE-2024-46256
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: =2.11.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application improperly sanitizes user-supplied credentials before executing them as shell commands."
Attack vector
An attacker with administrative access to the Nginx Proxy Manager can trigger the "Add Let's Encrypt Certificate" functionality. By providing specially crafted credentials that include shell metacharacters, the attacker can inject arbitrary commands. These commands are then executed with the privileges of the running Nginx Proxy Manager process, leading to Remote Code Execution (RCE).
Affected code
The vulnerability exists in the `requestLetsEncryptSsl` function within the Nginx Proxy Manager codebase. Specifically, the lines responsible for constructing and executing the `credentialsCmd` are affected. The patch modifies this section, replacing the command string construction with direct file system operations.
What the fix does
The patch removes the direct execution of shell commands for handling Let's Encrypt certificate credentials. Instead of constructing a command string with `echo` and `chmod`, the updated code uses Node.js's built-in `fs.mkdirSync` and `fs.writeFileSync` functions to create the credentials directory and write the credentials file securely. This eliminates the possibility of command injection by treating the credentials as data rather than executable code.
Preconditions
- authThe attacker must have administrative access to the Nginx Proxy Manager.
- inputThe attacker must be able to provide malicious input in the 'dns_provider_credentials' field when adding a Let's Encrypt certificate.
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/NginxProxyManager/nginx-proxy-manager/blob/v2.11.3/backend/internal/certificate.jsmitre
- github.com/NginxProxyManager/nginx-proxy-manager/commit/99cce7e2b0da2978411cedd7cac5fffbe15bc466mitre
- github.com/NginxProxyManager/nginx-proxy-manager/pull/4073/commits/c39d5433bcd13993def222bbb2b6988bbb810a05mitre
News mentions
0No linked articles in our index yet.