DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42223: CVE-2026-42223: Authenticated Sensitive Information Disclosure in Nginx UI

#security #cve #cybersecurity

CVE-2026-42223: Authenticated Sensitive Information Disclosure in Nginx UI

Vulnerability ID: CVE-2026-42223
CVSS Score: 6.5
Published: 2026-05-06

Nginx UI versions prior to 2.3.8 suffer from an asymmetric security control enforcement vulnerability. Go's standard JSON marshaler ignores custom struct tags meant to protect sensitive configuration fields, leading to the exposure of JWT secrets, node secrets, and OIDC client credentials to any authenticated user. This allows privilege escalation to full administrator.

TL;DR

Any authenticated user can retrieve administrative secrets (including the JWT signing key) due to flawed struct serialization, enabling total application compromise and privilege escalation.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-200
  • Attack Vector: Network
  • CVSS Score: 6.5
  • EPSS Score: 0.00031
  • Impact: Privilege Escalation / Information Disclosure
  • Exploit Status: Proof of Concept
  • CISA KEV: No

Affected Systems

  • Nginx UI backend API
  • Nginx UI Cluster Architecture
  • Nginx UI: < 2.3.8 (Fixed in: 2.3.8)

Code Analysis

Commit: 80a6a72

Fix information disclosure by manually redacting sensitive settings before JSON serialization and implementing secure restoration logic.

Mitigation Strategies

  • Upgrade Nginx UI to version 2.3.8 or later.
  • Rotate all exposed secrets including JWT keys, Node secrets, OIDC Client Secrets, and third-party API tokens.
  • Monitor access logs for unauthorized access to the /api/settings endpoint.

Remediation Steps:

  1. Download the latest Nginx UI release (v2.3.8).
  2. Stop the Nginx UI service.
  3. Replace the application binary with the updated version.
  4. Restart the Nginx UI service.
  5. Access the Nginx UI administrative panel and generate a new JWT signing secret.
  6. Navigate to the cluster configuration and rotate the node secrets across all instances.
  7. Update any external OAuth/OIDC providers with newly generated client secrets.

References

Read the full report for CVE-2026-42223 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)