nginx-proxy-manager Prototype Pollution via JSON Parser Enables Unauthenticated RCE (CVE-2026-13228)
Scope: nginx-proxy-manager-2-rootfs Package Versions Prior to 2.13.1-r0
Severity: Red
A critical prototype pollution vulnerability in the JSON parsing component of nginx-proxy-manager allows unauthenticated remote attackers to inject attacker-controlled string values as array index keys during circular JSON parsing, causing the parser to write into the application's shared global prototype object and polluting it globally across all objects that inherit from it, creating a pathway to remote code execution through downstream property access in application logic. Because nginx-proxy-manager is widely used in self-hosted homelab and SME environments as a reverse proxy management interface, often with management ports inadvertently exposed to the internet, the unauthenticated attack surface is significant. Organizations must upgrade the nginx-proxy-manager-2-rootfs package to version 2.13.1-r0 or later, restrict management interface access to trusted internal networks only, and avoid exposing the nginx-proxy-manager admin panel on internet-facing ports.
The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.