Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8.
Published: 2026-05-04
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw lets authenticated users retrieve the full settings payload via the GetSettings API; the code serializes all configuration fields to JSON without filtering protected ones. Vulnerable fields such as JwtSecret, NodeSecret, and OIDC ClientSecret can be extracted, enabling token forgery, cluster impersonation, or OAuth takeover. The weakness is a confidentiality breach (CWE-200).

Affected Systems

The vulnerable component is nginx‑ui, version 2.3.7 and earlier, by the vendor 0xJacky. A patch was released in v2.3.8; any deployment using earlier releases is susceptible.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity; EPSS is not reported, and the vulnerability is not in CISA KEV. Attackers need only authenticated access to the web interface; the flaw is read‑oriented and does not require additional privileges. Exploitation would allow the attacker to exfiltrate secrets and compromise authentication mechanisms.

Generated by OpenCVE AI on May 4, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nginx‑ui to version 2.3.8 or later to apply the vendor patch.
  • If an upgrade is not immediately possible, restrict or remove access to the Settings API for non‑trusted users, ensuring that only administrative accounts can query it.
  • After any exposure, revoke and rotate the exposed secrets (JWT, node, OIDC client) and re‑employ new credential values.

Generated by OpenCVE AI on May 4, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 04 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8.
Title nginx-ui: Settings API Exposes Protected Secrets
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

0xjacky Nginx-ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-04T20:12:00.546Z

Reserved: 2026-04-25T05:37:12.116Z

Link: CVE-2026-42223

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T21:16:32.320

Modified: 2026-05-04T21:16:32.320

Link: CVE-2026-42223

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:30:09Z

Weaknesses