CVE-2026-42223
Exposure of Sensitive Data in Nginx UI
Publication date: 2026-05-04
Last updated on: 2026-05-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | to 2.3.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability exposes over 40 sensitive fields, including secrets used for authentication and authorization, to authenticated users due to improper enforcement of protection tags during data reads.
Such exposure of sensitive information can lead to unauthorized access, token forgery, and account takeover, which may result in violations of data protection regulations like GDPR and HIPAA that require safeguarding sensitive data and ensuring proper access controls.
Therefore, this vulnerability could negatively impact compliance with these standards by increasing the risk of unauthorized data disclosure and compromising the confidentiality and integrity of protected information.
Can you explain this vulnerability to me?
This vulnerability exists in the Nginx UI web user interface for the Nginx web server, specifically in versions prior to 2.3.8. The GetSettings API handler serializes all settings to JSON and returns them to authenticated users. Although many sensitive fields are marked as protected, this protection is only enforced during write operations and ignored during reads. As a result, over 40 protected fields, including sensitive secrets like JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configurations, are exposed to authenticated users.
How can this vulnerability impact me? :
The vulnerability can lead to serious security impacts because it exposes sensitive configuration secrets to authenticated users. Exposure of JwtSecret can allow attackers to forge authentication tokens, NodeSecret exposure can enable impersonation of cluster nodes, and OIDC ClientSecret exposure can lead to OAuth account takeover. Additionally, exposure of IP whitelist configurations can weaken network security controls.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Nginx UI to version 2.3.8 or later, where the issue has been patched.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the vulnerable version of nginx-ui (version 2.3.7 or earlier) is running and by attempting to access the GetSettings API endpoint to see if protected sensitive fields are exposed.
An authenticated user can send a GET request to the /api/settings endpoint to retrieve all settings, including protected secrets that should not be exposed.
A sample command to test this would be:
- curl -u <username>:<password> -X GET https://<nginx-ui-host>/api/settings
If the response JSON contains sensitive fields such as JwtSecret, NodeSecret, OIDC ClientSecret, or IP whitelist configurations, the system is vulnerable.