CVE-2026-50892 | THREATINT

Description

Incorrect access control in the "Let's Encrypt" certificate download endpoint of Nginx Proxy Manager v2.14.0 allows authenticated attackers to obtain the TLS private key material via a crafted GET request.

PUBLISHED Reserved 2026-06-07 | Published 2026-06-15 | Updated 2026-06-16 | Assigner mitre

References

gist.github.com/pyuysig/2a581564816d0f9240a03bc2d5ce7356 exploit

gist.github.com/pyuysig/2a581564816d0f9240a03bc2d5ce7356

cve.org (CVE-2026-50892)

nvd.nist.gov (CVE-2026-50892)

Download JSON