Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handler (api/settings/settings.go:24-65) serializes all settings structs to JSON and returns them to authenticated users. Many sensitive fields are tagged with protected:"true" - however, this tag is only enforced during writes (via ProtectedFill in SaveSettings) and is completely ignored during reads. This exposes 40+ protected fields including JwtSecret (enabling auth token forgery), NodeSecret (enabling cluster node impersonation), OIDC ClientSecret (enabling OAuth account takeover), and the IP whitelist configuration. This issue has been patched in version 2.3.8.
AnalysisAI
nginx-ui versions prior to 2.3.8 expose 40+ protected configuration fields through the GetSettings API to authenticated users, including JwtSecret (auth token forgery), NodeSecret (cluster impersonation), and OIDC ClientSecret (OAuth takeover). The protected tag is enforced only during writes but completely ignored during reads, allowing authenticated attackers to extract sensitive secrets and IP whitelist configurations without requiring additional privileges or user interaction.
Technical ContextAI
nginx-ui is a web management interface for Nginx built in Go. The vulnerability exists in the GetSettings API handler (api/settings/settings.go:24-65) which serializes all settings structs to JSON. While sensitive fields are annotated with protected:true tags - intended to prevent unauthorized modification - the read operation in GetSettings bypasses this protection entirely. The ProtectedFill function enforces the tag only during SaveSettings (write operations), creating an asymmetric validation gap. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) classifies this as improper access control on sensitive data at rest within the application layer.
RemediationAI
Vendor-released patch: nginx-ui version 2.3.8. Upgrade immediately by pulling the v2.3.8 release tag or later from the nginx-ui repository and redeploying. If immediate upgrade is not feasible, apply network-level compensating controls: restrict API access to trusted internal networks only, implement reverse proxy authentication ahead of nginx-ui (e.g., WAF or API gateway), and rotate all exposed secrets (JwtSecret, NodeSecret, OIDC ClientSecret) after potential compromise is confirmed. Additionally, audit logs for GetSettings API calls to identify if unauthorized secret access occurred. Note that compensating controls do not remediate the underlying vulnerability; they only reduce exposure window. Patch application is mandatory.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27140
GHSA-q4w7-56hr-83rm