CVE-2026-42220
published 2026-05-04CVE-2026-42220: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive…
PriorityP340medium6.5CVSS 3.1
AVNACLPRLUINSUCHINAN
EPSS
0.30%
21.5th percentile
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < 2.3.8 | 2.3.8 |
| github.com | 0xjacky_nginx-ui | 0 – 1.9.9 | — |
| nginxui | nginx_ui | < 2.3.8 | 2.3.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
ghsa·2026-05-05
CVE-2026-42220 [MEDIUM] CWE-200 Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
## Summary
An authenticated user can call `GET /api/settings` and retrieve sensitive configuration values, including `node.secret`. The same `node.secret` is accepted by `AuthRequired()` through the `X-Node-Secret` header (or `node_secret` query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user.
In my local reproduction on `v2.3.6`, `GET /api/settings` also returned `app.jwt_secret`. After extracting `node.secret`, I was able to access `GET /api/backup` using only `X-Node-Secret`, download a full backup archive, and obtain the `X-Backup-Security`
VulDB
0xJacky nginx-ui up to 2.3.7 /api/settings AuthRequired information disclosure (EUVD-2026-27133)
vuldb·2026-05-04·CVSS 6.5
CVE-2026-42220 [MEDIUM] 0xJacky nginx-ui up to 2.3.7 /api/settings AuthRequired information disclosure (EUVD-2026-27133)
A vulnerability, which was classified as problematic, has been found in 0xJacky nginx-ui up to 2.3.7. Impacted is the function AuthRequired of the file /api/settings. Performing a manipulation results in information disclosure.
This vulnerability is reported as CVE-2026-42220. The attack is possible to be carried out remotely. No exploit exists.
It is advisable to upgrade the affected component.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-04
Published