CVE-2026-50892

An authenticated attacker with certificate read access (e.g., the `certificates:get` capability) sends a crafted GET request to `/api/nginx/certificates/{certificate_id}/download` for a certificate they can view. The server returns a ZIP archive that includes the private key file (`privkey.pem`) from the certificate directory. The attacker can then unzip the archive and extract the TLS private key material, enabling impersonation of the TLS endpoint.

The vulnerability resides in the download handler at `backend/internal/certificate.js::download()` (route `GET /api/nginx/certificates/:certificate_id/download`). The endpoint packages files from the live certificate directory into a ZIP archive but fails to exclude private key files such as `privkey.pem`, returning them alongside public certificate material.

The advisory does not include a published patch. The recommended remediation is to modify the `download()` handler in `backend/internal/certificate.js` so that the generated ZIP archive contains only public certificate and chain files, explicitly excluding private key material such as `privkey.pem`. Without this change, any user with read-level certificate access can obtain the private key, violating the principle of least privilege.

Log in to Nginx Proxy Manager 2.14.0 as a user with certificate read access, such as the `certificates:get` permission for a certificate. Send `GET /api/nginx/certificates/{certificate_id}/download` for a certificate visible to that user. Save and unzip the returned archive. Observe private key material such as `privkey.pem` included alongside the certificate files. Compare the result with the expected read-only certificate visibility boundary and confirm that private key material is included in the downloaded package.