PatchSiren cyber security CVE debrief
CVE-2026-50892 Nginx Proxy Manager CVE debrief
CVE-2026-50892 is an incorrect access control vulnerability in the 'Let's Encrypt' certificate download endpoint of Nginx Proxy Manager v2.14.0. Authenticated attackers can obtain the TLS private key material via a crafted GET request.
- Vendor
- Nginx Proxy Manager
- Product
- Nginx Proxy Manager
- CVSS
- Unknown
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-15
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-15
Who should care
Users of Nginx Proxy Manager v2.14.0, especially those who have exposed the 'Let's Encrypt' certificate download endpoint to authenticated users.
Technical summary
The vulnerability exists in the 'Let's Encrypt' certificate download endpoint of Nginx Proxy Manager v2.14.0. Due to incorrect access control, authenticated attackers can craft a GET request to obtain the TLS private key material.
Defensive priority
High
Recommended defensive actions
- Update Nginx Proxy Manager to a version that fixes the vulnerability, if available.
- Restrict access to the 'Let's Encrypt' certificate download endpoint to only trusted users and services.
- Monitor the endpoint for suspicious activity and implement additional security measures, such as IP whitelisting or rate limiting.
Evidence notes
The CVE record [resourceLinkAnnotations:cve-org] and NVD detail [resourceLinkAnnotations:nvd] provide official information about the vulnerability. A source reference [resourceLinkAnnotations:ref-4] is also available.
Official resources
-
CVE-2026-50892 CVE record
CVE.org
-
CVE-2026-50892 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-50892 was published on 2026-06-15T20:16:32.210Z and has not been modified since then.