diff --git a/http/misconfiguration/nginx/nginx-api-traversal.yaml b/http/misconfiguration/nginx/nginx-api-traversal.yaml
new file mode 100644
index 0000000000..5f7528c9c5
--- /dev/null
+++ b/http/misconfiguration/nginx/nginx-api-traversal.yaml
@@ -0,0 +1,109 @@
+id: nginx-api-traversal
+
+info:
+  name: Nginx Plus Rest API - Traversal
+  author: encodedguy
+  severity: high
+  description: |
+    Access to Nginx Plus Rest API was discovered.
+  reference:
+    - https://nginx.org/en/docs/http/ngx_http_api_module.html
+    - https://x.com/akshaysharma71/status/1825815869953552844
+  metadata:
+    verified: true
+  tags: nginx,fuzz,misconfig,lfi
+
+http:
+  - method: GET
+    path:
+      - "{{BaseURL}}{{paths}}"
+
+    payloads:
+      paths:
+        - "/api/1/nginx"
+        - "/api/2/nginx"
+        - "/api/3/nginx"
+        - "/api/5/nginx"
+        - "/api/9/nginx"
+        - "/../../../../../../api/1/nginx"
+        - "/../../../../../../api/2/nginx"
+        - "/../../../../../../api/3/nginx"
+        - "/../../../../../../api/5/nginx"
+        - "/../../../../../../api/9/nginx"
+        - "/../../../../../api/1/nginx"
+        - "/../../../../../api/2/nginx"
+        - "/../../../../../api/3/nginx"
+        - "/../../../../../api/5/nginx"
+        - "/../../../../../api/9/nginx"
+        - "/../../../../api/1/nginx"
+        - "/../../../../api/2/nginx"
+        - "/../../../../api/3/nginx"
+        - "/../../../../api/5/nginx"
+        - "/../../../../api/9/nginx"
+        - "/../../../api/1/nginx"
+        - "/../../../api/2/nginx"
+        - "/../../../api/3/nginx"
+        - "/../../../api/5/nginx"
+        - "/../../../api/9/nginx"
+        - "/../../api/1/nginx"
+        - "/../../api/2/nginx"
+        - "/../../api/3/nginx"
+        - "/../../api/5/nginx"
+        - "/../../api/9/nginx"
+        - "/../api/1/nginx"
+        - "/../api/2/nginx"
+        - "/../api/3/nginx"
+        - "/../api/5/nginx"
+        - "/../api/9/nginx"
+        - "/..;/..;/..;/..;/..;/..;/api/1/nginx"
+        - "/..;/..;/..;/..;/..;/..;/api/2/nginx"
+        - "/..;/..;/..;/..;/..;/..;/api/3/nginx"
+        - "/..;/..;/..;/..;/..;/..;/api/5/nginx"
+        - "/..;/..;/..;/..;/..;/..;/api/9/nginx"
+        - "/..;/..;/..;/..;/..;/api/1/nginx"
+        - "/..;/..;/..;/..;/..;/api/2/nginx"
+        - "/..;/..;/..;/..;/..;/api/3/nginx"
+        - "/..;/..;/..;/..;/..;/api/5/nginx"
+        - "/..;/..;/..;/..;/..;/api/9/nginx"
+        - "/..;/..;/..;/..;/api/1/nginx"
+        - "/..;/..;/..;/..;/api/2/nginx"
+        - "/..;/..;/..;/..;/api/3/nginx"
+        - "/..;/..;/..;/..;/api/5/nginx"
+        - "/..;/..;/..;/..;/api/9/nginx"
+        - "/..;/..;/..;/api/1/nginx"
+        - "/..;/..;/..;/api/2/nginx"
+        - "/..;/..;/..;/api/3/nginx"
+        - "/..;/..;/..;/api/5/nginx"
+        - "/..;/..;/..;/api/9/nginx"
+        - "/..;/..;/api/1/nginx"
+        - "/..;/..;/api/2/nginx"
+        - "/..;/..;/api/3/nginx"
+        - "/..;/..;/api/5/nginx"
+        - "/..;/..;/api/9/nginx"
+        - "/..;/api/1/nginx"
+        - "/..;/api/2/nginx"
+        - "/..;/api/3/nginx"
+        - "/..;/api/5/nginx"
+        - "/..;/api/9/nginx"
+
+    stop-at-first-match: true
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body
+        words:
+          - "version"
+          - "build"
+          - "address"
+          - "load_timestamp"
+        condition: and
+
+      - type: word
+        part: content_type
+        words:
+          - application/json
+
+      - type: status
+        status:
+          - 200