EUVD-2026-27140
GHSA-q4w7-56hr-83rm
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8.
AnalysisAI
nginx-ui versions prior to 2.3.8 expose 40+ protected configuration fields through the GetSettings API to authenticated users, including JwtSecret (auth token forgery), NodeSecret (cluster impersonation), and OIDC ClientSecret (OAuth takeover). The protected tag is enforced only during writes but completely ignored during reads, allowing authenticated attackers to extract sensitive secrets and IP whitelist configurations without requiring additional privileges or user interaction.
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers
Pre-NVD disclosure via oss-security: oss-security mailing list - 2026/05/22. ty (Colm O hEigeartaigh <coheigea@...che.or
Arbitrary file write in the compliance-trestle Python library (versions 4.0.0-4.0.2 and any release below 3.12.2) lets a
Share
External POC / Exploit Code
Leaving vuln.today