CVE-2026-42220
Undergoing Analysis Undergoing Analysis - In Progress
Authenticated Node Secret Exposure in Nginx UI

Publication date: 2026-05-04

Last updated on: 2026-05-06

Assigner: GitHub, Inc.

Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-42220
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Nginx UI, a web user interface for the Nginx web server. Before version 2.3.8, an authenticated user could make a GET request to /api/settings and retrieve sensitive configuration values, including a secret called node.secret.

The node.secret is used for authentication via the AuthRequired() function when provided through the X-Node-Secret header or the node_secret query parameter. Because the same secret is accepted, an attacker who obtains it can have their requests treated as authenticated through a trusted-node path and associated with the init user, potentially gaining elevated privileges.

This vulnerability was fixed in version 2.3.8 of Nginx UI.

Impact Analysis

An attacker who exploits this vulnerability can retrieve sensitive configuration information, including the node.secret, which allows them to authenticate as a trusted node.

This can lead to unauthorized access with elevated privileges, as the attacker’s requests are treated as authenticated and associated with the init user.

Such unauthorized access could compromise the security of the Nginx server environment, potentially exposing sensitive data or allowing further malicious actions.

Mitigation Strategies

The vulnerability has been patched in Nginx UI version 2.3.8. To mitigate this vulnerability, you should upgrade your Nginx UI installation to version 2.3.8 or later.

Compliance Impact

This vulnerability allows an authenticated user to retrieve sensitive configuration values, including node.secret, which can lead to unauthorized access to the system with elevated privileges.

Exposure of sensitive configuration data and potential unauthorized access could lead to violations of data protection and security requirements outlined in common standards and regulations such as GDPR and HIPAA.

Specifically, unauthorized access to sensitive information may compromise confidentiality controls required by these regulations, potentially resulting in non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42220. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart