CVE Catalog

CVE-2026-50892

MediumCVSS 6.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.10%

1th percentile — higher than 1% of all known CVEs

Summary

In Nginx Proxy Manager v2.14.0, incorrect access control in the 'Let's Encrypt' certificate download endpoint allows authenticated attackers to obtain TLS private key material via a crafted GET request.

Risk Assessment

The organization may be exposed to theft of TLS private keys, leading to serious security breaches and potential attacks on communications secured with those keys.

Recommendation

It is recommended to update Nginx Proxy Manager to the latest version and review and strengthen access controls for certificate download endpoints.

Original NVD description (English source)

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS