Checklist
- Have you pulled and found the error with
jc21/nginx-proxy-manager:latest docker image?
- Are you sure you're not using someone else's docker image?
- Have you searched for similar issues (both open and closed)?
Describe the bug
Nginx Proxy Manager Version
v2.14.0
To Reproduce
Steps to reproduce the behavior:
- Go to '...'
- Click on '....'
- Scroll down to '....'
- See error
Expected behavior
Privilege Escalation Vulnerability in Nginx Proxy Manager v2.14.0
The Nginx Proxy Manager allows any authenticated user to modify their own roles field through the PUT /api/users/:id endpoint without proper authorization checks. This enables a low-privileged user to escalate their privileges to administrator level by directly modifying their user profile
PUT /api/users/:id
→ Does not check whether the current user is authorized to modify the target user
→ Does not check whether the roles field can be modified
→ Any user can modify their own roles
PUT /api/users/:id
→ 没有检查当前用户是否有权修改目标用户
→ 没有检查是否允许修改 roles 字段
→ 任何用户都可以修改自己的 roles
Proof:
Create a new regular user, e.g. ggg
✅ User ggg (ID=2) has an empty initial role (roles=[])
✅ User ggg obtains a Token after login (scope=[“user”])
✅ User ggg calls PUT /api/users/2 using their own Token
✅ Audit log records: Operator ID=2 modified user#2
✅ Successfully changes the role from [] to [“admin”]
证明:创建一个新普通用户,如ggg
✅ 用户 ggg (ID=2) 初始角色为空 (roles=[])
✅ 用户 ggg 登录后获取 Token (scope=[“user”])
✅ 用户 ggg 使用自己的 Token 调用 PUT /api/users/2
✅ 审计日志记录:操作者 ID=2 修改了 user#2
✅ 成功将角色从 [] 修改为 [“admin”]
Screenshots
Operating System
Additional context
Checklist
jc21/nginx-proxy-manager:latestdocker image?Describe the bug
Nginx Proxy Manager Version
v2.14.0
To Reproduce
Steps to reproduce the behavior:
Expected behavior
Privilege Escalation Vulnerability in Nginx Proxy Manager v2.14.0
The Nginx Proxy Manager allows any authenticated user to modify their own roles field through the PUT /api/users/:id endpoint without proper authorization checks. This enables a low-privileged user to escalate their privileges to administrator level by directly modifying their user profile
PUT /api/users/:id
→ Does not check whether the current user is authorized to modify the target user
→ Does not check whether the roles field can be modified
→ Any user can modify their own roles
PUT /api/users/:id
→ 没有检查当前用户是否有权修改目标用户
→ 没有检查是否允许修改 roles 字段
→ 任何用户都可以修改自己的 roles
Proof:
Create a new regular user, e.g. ggg
✅ User ggg (ID=2) has an empty initial role (roles=[])
✅ User ggg obtains a Token after login (scope=[“user”])
✅ User ggg calls PUT /api/users/2 using their own Token
✅ Audit log records: Operator ID=2 modified user#2
✅ Successfully changes the role from [] to [“admin”]
证明:创建一个新普通用户,如ggg
✅ 用户 ggg (ID=2) 初始角色为空 (roles=[])
✅ 用户 ggg 登录后获取 Token (scope=[“user”])
✅ 用户 ggg 使用自己的 Token 调用 PUT /api/users/2
✅ 审计日志记录:操作者 ID=2 修改了 user#2
✅ 成功将角色从 [] 修改为 [“admin”]
Screenshots
Operating System
Additional context