Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.
AnalysisAI
nginx-ui prior to version 2.3.8 exposes sensitive configuration values including node.secret via an authenticated GET /api/settings endpoint, allowing an authenticated user to retrieve the shared authentication secret and subsequently impersonate the init administrative user by sending requests with the stolen node.secret via the X-Node-Secret header or node_secret query parameter. This enables privilege escalation and full administrative access to the Nginx configuration interface without additional authentication.
Technical ContextAI
nginx-ui is a web-based administration interface for Nginx that implements authentication via a trusted-node mechanism. The application stores a shared secret (node.secret) used for inter-node communication and bootstrapping. The vulnerability stems from two related weaknesses: first, the /api/settings endpoint fails to restrict access to sensitive parameters despite the user being authenticated at a lower privilege level; second, the AuthRequired() authentication handler accepts the same node.secret value through the X-Node-Secret HTTP header or node_secret query parameter without distinguishing between legitimate inter-node communication and user-supplied values. This conflates two authentication pathways-user authentication and trusted-node authentication-allowing credential leakage to become privilege escalation. The root cause is CWE-200 (Information Exposure) combined with improper use of a shared secret in a multi-tier authentication model.
RemediationAI
Upgrade nginx-ui to version 2.3.8 or later immediately; this is the vendor-released patch that addresses the information disclosure and credential leakage. The fix modifies the /api/settings endpoint to redact sensitive values (including node.secret) from responses to authenticated users, and separately strengthens the AuthRequired() handler to prevent user-supplied node_secret parameters from being accepted as equivalent to legitimate inter-node communication. If immediate upgrade is not feasible, implement network-level controls to restrict access to the /api/settings endpoint to trusted administrative networks only, and disable or restrict the X-Node-Secret header and node_secret query parameter acceptance at a reverse proxy layer (e.g., nginx upstream, WAF rule) - however, this workaround does not fully mitigate the information disclosure and should not be relied upon long-term. Audit logs for any calls to /api/settings by low-privilege accounts prior to the upgrade; if node.secret has been exposed, rotate it and review administrative session tokens for signs of misuse.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27133
GHSA-7jrr-xw9c-mj39