Skip to main content

nginx-ui CVE-2026-42220

| EUVDEUVD-2026-27133 MEDIUM
Information Exposure (CWE-200)
2026-05-04 GitHub_M GHSA-7jrr-xw9c-mj39
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
May 04, 2026 - 22:17 EUVD
Analysis Generated
May 04, 2026 - 21:00 vuln.today

DescriptionGitHub Advisory

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.

AnalysisAI

nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication.

Technical ContextAI

nginx-ui is a web-based administration interface for Nginx that implements authentication via a trusted-node mechanism. The application stores a shared secret (node.secret) used for inter-node communication and bootstrapping. The vulnerability stems from two related weaknesses: first, the /api/settings endpoint fails to restrict access to sensitive parameters despite the user being authenticated at a lower privilege level; second, the AuthRequired() authentication handler accepts the same node.secret value through the X-Node-Secret HTTP header or node_secret query parameter without distinguishing between legitimate inter-node communication and user-supplied values. This conflates two authentication pathways-user authentication and trusted-node authentication-allowing credential leakage to become privilege escalation. The root cause is CWE-200 (Information Exposure) combined with improper use of a shared secret in a multi-tier authentication model.

RemediationAI

Upgrade nginx-ui to version 2.3.8 or later immediately; this is the vendor-released patch that addresses the information disclosure and credential leakage. The fix modifies the /api/settings endpoint to redact sensitive values (including node.secret) from responses to authenticated users, and separately strengthens the AuthRequired() handler to prevent user-supplied node_secret parameters from being accepted as equivalent to legitimate inter-node communication. If immediate upgrade is not feasible, implement network-level controls to restrict access to the /api/settings endpoint to trusted administrative networks only, and disable or restrict the X-Node-Secret header and node_secret query parameter acceptance at a reverse proxy layer (e.g., nginx upstream, WAF rule) - however, this workaround does not fully mitigate the information disclosure and should not be relied upon long-term. Audit logs for any calls to /api/settings by low-privilege accounts prior to the upgrade; if node.secret has been exposed, rotate it and review administrative session tokens for signs of misuse.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-42220 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy