CVE-2026-42220
Authenticated Node Secret Exposure in Nginx UI
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | to 2.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Nginx UI, a web user interface for the Nginx web server. Before version 2.3.8, an authenticated user could make a GET request to /api/settings and retrieve sensitive configuration values, including a secret called node.secret.
The node.secret is used for authentication via the AuthRequired() function when provided through the X-Node-Secret header or the node_secret query parameter. Because the same secret is accepted, an attacker who obtains it can have their requests treated as authenticated through a trusted-node path and associated with the init user, potentially gaining elevated privileges.
This vulnerability was fixed in version 2.3.8 of Nginx UI.
How can this vulnerability impact me? :
An attacker who exploits this vulnerability can retrieve sensitive configuration information, including the node.secret, which allows them to authenticate as a trusted node.
This can lead to unauthorized access with elevated privileges, as the attackerβs requests are treated as authenticated and associated with the init user.
Such unauthorized access could compromise the security of the Nginx server environment, potentially exposing sensitive data or allowing further malicious actions.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability has been patched in Nginx UI version 2.3.8. To mitigate this vulnerability, you should upgrade your Nginx UI installation to version 2.3.8 or later.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user to retrieve sensitive configuration values, including node.secret, which can lead to unauthorized access to the system with elevated privileges.
Exposure of sensitive configuration data and potential unauthorized access could lead to violations of data protection and security requirements outlined in common standards and regulations such as GDPR and HIPAA.
Specifically, unauthorized access to sensitive information may compromise confidentiality controls required by these regulations, potentially resulting in non-compliance.