CVE-2026-50892
MediumCVSS 6.5Exploitation Probability (EPSS)
Low risk1th percentile — higher than 1% of all known CVEs
Summary
In Nginx Proxy Manager v2.14.0, incorrect access control in the 'Let's Encrypt' certificate download endpoint allows authenticated attackers to obtain TLS private key material via a crafted GET request.
Risk Assessment
The organization may be exposed to theft of TLS private keys, leading to serious security breaches and potential attacks on communications secured with those keys.
Recommendation
It is recommended to update Nginx Proxy Manager to the latest version and review and strengthen access controls for certificate download endpoints.
Original NVD description (English source)
Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

