CVE-2026-42220: CVE-2026-42220: Privilege Escalation via Information Disclosure in Nginx UI

#security #cve #cybersecurity

CVE-2026-42220: Privilege Escalation via Information Disclosure in Nginx UI

Vulnerability ID: CVE-2026-42220
CVSS Score: 6.5
Published: 2026-05-05

An information disclosure vulnerability in Nginx UI prior to version 2.3.8 allows authenticated users to extract the internal node secret. This secret can subsequently be abused to bypass authorization checks and escalate privileges to the administrative init user.

TL;DR

Low-privileged authenticated users can retrieve the system's node.secret via the /api/settings endpoint. This secret can then be passed in the X-Node-Secret header to execute actions as the administrative init user.

⚠️ Exploit Status: POC

Technical Details

CWE IDs: CWE-200, CWE-863
Attack Vector: Network
Authentication: Required (Low Privilege)
CVSS Score: 6.5 / 7.5
EPSS Score: 0.00028
Exploit Status: Public PoC
Impact: Privilege Escalation

Affected Systems

Nginx UI versions < 2.3.8
nginx-ui: < 2.3.8 (Fixed in: 2.3.8)

Code Analysis

Commit: 80a6a72

Fix information disclosure and privilege escalation via API settings redaction

Mitigation Strategies

Upgrade Nginx UI to version 2.3.8 or later.
Rotate internal node secrets to invalidate previously leaked keys.
Rotate JWT signing secrets to invalidate any forged sessions.
Restrict network access to the Nginx UI management port.

Remediation Steps:

Download the v2.3.8 release or update the Docker image to the latest stable tag.
Stop the Nginx UI service.
Locate and open the app.ini configuration file.
Generate new, random cryptographic values for node.secret and app.jwt_secret.
Update the app.ini file with the new secret values.
Start the Nginx UI service.
Verify that low-privileged user accounts can no longer access administrative endpoints.

References

Read the full report for CVE-2026-42220 on our website for more details including interactive diagrams and full exploit analysis.

DEV Community