CVE-2024-46257
Description
Command injection in NginxProxyManager 2.11.3 allows remote code execution via Let's Encrypt certificate addition.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in NginxProxyManager 2.11.3 allows remote code execution via Let's Encrypt certificate addition.
Vulnerability
A command injection vulnerability exists in the requestLetsEncryptSslWithDnsChallenge function of NginxProxyManager version 2.11.3. The flaw resides in backend/internal/certificate.js where DNS provider credentials are unsanitized before being passed to shell commands, allowing arbitrary command execution [2][3].
Exploitation
An attacker with administrative access to the NginxProxyManager web interface can exploit this by adding a Let's Encrypt certificate with a malicious DNS provider credential string. The credentials are injected into a shell command without proper escaping, enabling the attacker to execute arbitrary OS commands [3][4].
Impact
Successful exploitation results in remote code execution as the user running the NginxProxyManager service, leading to full compromise of the host system [4].
Mitigation
The vulnerability is fixed in NginxProxyManager version 2.12.0, released on 2024-09-27, via commit 99cce7e2b0da2978411cedd7cac5fffbe15bc466 [1][3]. Users should upgrade to v2.12.0 or later; no workaround is available.
- v2.12.0 by jc21 · Pull Request #4073 · NginxProxyManager/nginx-proxy-manager
- nginx-proxy-manager/backend/internal/certificate.js at v2.11.3 · NginxProxyManager/nginx-proxy-manager
- Fix command injection when passing bash commands into the dns provide… · NginxProxyManager/nginx-proxy-manager@99cce7e
- GitHub - barttran2k/POC_CVE-2024-46256: POC_CVE-2024-46256
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: = 2.11.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application improperly constructs shell commands by directly embedding user-controlled data."
Attack vector
An attacker can trigger this vulnerability by adding a Let's Encrypt certificate using a DNS challenge. The attacker must provide specially crafted input for the DNS provider credentials, which are then incorporated into a shell command executed by the application. This allows the attacker to inject arbitrary commands that will be run with the privileges of the application. [ref_id=1]
Affected code
The vulnerability exists in the `requestLetsEncryptSslWithDnsChallenge` function within the NginxProxyManager codebase. Specifically, the code responsible for handling and writing DNS provider credentials to a file was vulnerable. The patch modifies lines 861-865 and 904-911 to address this issue. [ref_id=1]
What the fix does
The patch removes the construction of a separate command to write credentials to a file. Instead, it directly uses `fs.writeFileSync` to write the credentials to the specified location with appropriate permissions. This eliminates the command injection vector by avoiding the execution of shell commands for credential handling. [ref_id=1]
Preconditions
- authThe attacker must have authenticated access to the Nginx Proxy Manager interface to add a certificate.
- inputThe attacker must provide malicious input in the 'dns_provider_credentials' field when configuring a Let's Encrypt certificate with a DNS challenge.
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/NginxProxyManager/nginx-proxy-manager/blob/v2.11.3/backend/internal/certificate.jsmitre
- github.com/NginxProxyManager/nginx-proxy-manager/commit/99cce7e2b0da2978411cedd7cac5fffbe15bc466mitre
- github.com/NginxProxyManager/nginx-proxy-manager/pull/4073/commits/c39d5433bcd13993def222bbb2b6988bbb810a05mitre
News mentions
0No linked articles in our index yet.