Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.
Published: 2026-05-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Prior to version 2.3.8, any authenticated user of nginx‑ui can call the endpoint /api/settings and receive sensitive configuration values, such as the node.secret. That same secret is also accepted by the X‑Node‑Secret header or node_secret query parameter used by the trusted‑node authentication mechanism, allowing an attacker to impersonate the init user and gain full privileged access. The vulnerability therefore exposes confidential configuration data and enables privilege escalation to the highest level within the application.

Affected Systems

The affected product is nginx‑ui distributed by 0xJacky. All releases prior to v2.3.8 are vulnerable. Users should verify that their installation is upgraded to version 2.3.8 or newer to eliminate the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. External Exploit Probability is not available, and the vulnerability is not listed in the CISA KEV catalog. Because any authenticated user can invoke the vulnerable endpoint, the attack vector is likely local or authenticated remote, depending on the compromise state of the web application. Exploitation requires only legitimate credentials; once the node.secret is retrieved, the attacker can authenticate as the init user via the trusted‑node path.

Generated by OpenCVE AI on May 4, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch to upgrade to nginx‑ui 2.3.8 or later
  • Restrict access to the /api/settings endpoint so only users with elevated permissions can call it
  • Ensure that X‑Node‑Secret headers or node_secret query parameters are validated against the current user context rather than the init user
  • Audit and rotate the node.secret value after patching to mitigate any residual risk

Generated by OpenCVE AI on May 4, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 22:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.
Title nginx-ui: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback
Weaknesses CWE-200
CWE-863
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

0xjacky Nginx-ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T20:08:07.225Z

Reserved: 2026-04-25T05:04:37.029Z

Link: CVE-2026-42220

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T21:16:31.870

Modified: 2026-05-04T21:16:31.870

Link: CVE-2026-42220

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T22:00:10Z

Weaknesses