Frontend is storing password in clear text

[eriosgamer]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
While exploring the SQLite database, I found that passwords are stored in plain text in the"access_list_auth" table.

Nginx Proxy Manager Version
jc21/nginx-proxy-manager:latest

To Reproduce
Steps to reproduce the behavior:
1- Make a fresh install
2- Set the user and password
3- Create a new Access List

Expected behavior
Passwords or authorization details should be securely stored (e.g., hashed) in the database.

Screenshots

Operating System
CachyOS (Arch Linux) and Debian 12

Additional context
Docker Version: 28.3.0, build 38b7060a21
Docker-Compose Version: version 2.37.3

The screenshot is from a Python script i wrote that displays the contents of database.sqlite.

[rezzorix]

Not a bug.

The access_list_auth table stores plaintext credentials so Nginx Proxy Manager can generate authentication configs for Nginx and allow users to edit those credentials through the UI. Nginx reads these files for HTTP Basic Auth (Nginx auth_basic module) but does not create them itself.

This isn’t a security risk unless someone already has access to your server files. User login passwords for NPM itself are stored hashed.