nginx-proxy-manager

v2.15.0 Security

This release includes 3 security fixes for security teams reviewing exposed deployments.

Published 3d Reverse Proxies & Load Balancers

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 3 known CVEs

Topics

nginx nginx-proxy

Affected surfaces

breaking_upgrade deps

ReleasePort's take

Moderate signal

editorial:auto 3d

OpenResty v2.15.0 patches CVE-2026-42945, CVE-2026-8711, and CVE-2026-9256.

Why it matters: The release fixes three critical vulnerabilities (CVEs) in the OpenResty runtime; operators should upgrade immediately to mitigate high‑severity risks.

Summary

AI summary

OpenResty updated to address CVE-2026-42945, CVE-2026-8711 and CVE-2026-9256.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Updated OpenResty to address CVE-2026-42945, CVE-2026-8711, and CVE-2026-9256. Updated OpenResty to address CVE-2026-42945, CVE-2026-8711, and CVE-2026-9256. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature
Feature	Low	Adds column sorting to Nginx tables. Adds column sorting to Nginx tables. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Add host info to proxy host delete confirmation modal. Add host info to proxy host delete confirmation modal. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Add SECURITY.md for security policy and reporting. Add SECURITY.md for security policy and reporting. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Add Norwegian locale. Add Norwegian locale. Source: llm_adapter@2026-06-01 Confidence: high	—
Feature	Low	Update Russian, Irish, French, Dutch locales. Update Russian, Irish, French, Dutch locales. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Dependency
Dependency	Low	Updated deSec certbot plugin. Updated deSec certbot plugin. Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Updated EuroDNS certbot plugin. Updated EuroDNS certbot plugin. Source: llm_adapter@2026-06-01 Confidence: high	—
Dependency	Low	Added Hostinger certbot plugin. Added Hostinger certbot plugin. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Dependency	Low	Added RcodeZero certbot plugin. Added RcodeZero certbot plugin. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Dependency	Low	Added hoster.by certbot plugin. Added hoster.by certbot plugin. Source: granite4.1:30b@2026-06-01-audit Confidence: low	—
Bugfix
Bugfix	Medium	Fix silent nginx config corruption in 50-ipv6.sh. Fix silent nginx config corruption in 50-ipv6.sh. Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Fix translation in streams table ignoring current enable/disable state. Fix translation in streams table ignoring current enable/disable state. Source: llm_adapter@2026-06-01 Confidence: high	—
Bugfix	Medium	Fix Undefined Variable next Referenced in Route Error Handler. Fix Undefined Variable next Referenced in Route Error Handler. Source: llm_adapter@2026-06-01 Confidence: high	—

Full changelog

[!WARNING]
Major update: Debian Trixie base image, OpenResty, Certbot and Python have been updated. Exercise caution with this upgrade as your DNS plugins may not work as expected and require tweaks to dependencies. See the new Certbot Doc for more info.

Changes

Updated OpenResty to address CVE-2026-42945 / CVE-2026-8711 / CVE-2026-9256
Certbot DNS plugin installs are tested in CI now; but usage of them for requesting certs is not
Fix SQLLite issue with NOW()
Regenerate configs improvements
Lots of Node dep updates
Fix incorrect html description
Various Cypress improvements
Fix silent nginx config corruption in 50-ipv6.sh (thanks @bill-mahoney)
Added PUT and DELETE method to Access-Control-Allow-Methods field (thanks @MBulli)
Adds column sorting to Nginx tables (thanks @clementfavre)
fix Nginx Proxy Manager allows any authenticated user to modify their own roles field through the PUT (thanks @Zoey2936)
Fix translation in streams table ignoring current enable/disable state (thanks @tomas-bara)
Add SECURITY.md for security policy and reporting (thanks @jcarvajalantigua)
Fix Undefined Variable next Referenced in Route Error Handler (thanks @barttran2k)
Fix grammar and clarity issues in README.md (thanks @Arihant101)
Access list clients ordered insert (thanks @edklesel)
Docs: Fix PostgreSQL volume mapping to prevent data loss (thanks @fankes)
Docs: add NPM Auth Gateway to third-party integrations (thanks @Mark0025)
Docs: add selfhosting.sh guide to third-party list (thanks @roundone)
Adds host info to proxy host delete confirmation modal (thanks @clementfavre)
fix: omit "Access rules" directives if no rules configured (thanks @Matthew-Kilpatrick)
Add hoster.by certbot plugin (thanks @butalex11)
Add RcodeZero certbot plugin (thanks @Ludo-code)
Updated deSec certbot plugin (thanks @MichaelJanssenNesai)
Add Hostinger certbot plugin (thanks @rfos)
Updated EuroDNS certbot plugin (thanks @DaanSelen)
🇳🇴 Add Norwegian locale (thanks @biodland)
🇪🇪 Add Estonia locale (thanks @siimaarmaa)
🇷🇺 Updated Russian locale (thanks @kraineff)
🇮🇪 Updated Irish locale (thanks @eren-karakus0)
🇫🇷 Updated French locale (thanks @Flop2691)
🇫🇷 Updated French locale (thanks @MarioGervais)
🇳🇱 Updated Dutch locale (thanks @Stephan-P)

Docker images

Security Fixes

CVE-2026-42945 — vulnerability in OpenResty addressed
CVE-2026-8711 — vulnerability in OpenResty addressed
CVE-2026-9256 — vulnerability in OpenResty addressed

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track nginx-proxy-manager

Get notified when new releases ship.

About nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface