CVE-2026-42220 Overview
CVE-2026-42220 is an information disclosure vulnerability [CWE-200] in Nginx UI, a web user interface for the Nginx web server. In versions prior to 2.3.8, an authenticated user can call the GET /api/settings endpoint and retrieve sensitive configuration values, including node.secret. The same node.secret value is accepted by the AuthRequired() function through the X-Node-Secret header or the node_secret query parameter. This causes the request to be treated as authenticated via the trusted-node path and associated with the init user. Maintainers patched the issue in version 2.3.8. See the GitHub Security Advisory GHSA-7jrr-xw9c-mj39 for vendor details.
Critical Impact
A low-privileged authenticated user can extract node.secret and escalate to the trusted init user, bypassing standard authentication boundaries.
Affected Products
- Nginx UI versions prior to 2.3.8
- Component: nginxui:nginx_ui
- Vendor: 0xJacky Nginx UI project
Discovery Timeline
- 2026-05-04 - CVE-2026-42220 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42220
Vulnerability Analysis
The vulnerability stems from over-broad exposure of configuration data through an authenticated API endpoint. Any authenticated session, regardless of role, can issue GET /api/settings and receive the full settings payload. That payload includes node.secret, a credential intended only for trusted inter-node communication.
Nginx UI's AuthRequired() middleware accepts node.secret as a valid authentication token through the X-Node-Secret HTTP header or the node_secret query parameter. Requests presenting the secret are bound to the init user via the trusted-node code path. This conflates a configuration value with an authentication credential, breaking the principle of least privilege.
Root Cause
The root cause is the absence of access control segmentation on settings retrieval combined with secret reuse. Sensitive fields such as node.secret are returned in API responses without redaction. Concurrently, the trusted-node authentication path treats possession of that secret as proof of identity for the init user, with no additional binding to network origin or signed challenges.
Attack Vector
An attacker first obtains any authenticated session on the Nginx UI instance. The attacker then issues GET /api/settings and parses the JSON response to extract node.secret. Subsequent requests carry the value in X-Node-Secret or node_secret, and AuthRequired() authenticates the requests as the init user. Refer to the Nginx UI v2.3.8 release notes for fix details. No public proof-of-concept exploit is currently available.
Detection Methods for CVE-2026-42220
Indicators of Compromise
- HTTP requests to GET /api/settings from non-administrative user sessions in Nginx UI access logs.
- Requests containing the X-Node-Secret header or node_secret query parameter from unexpected source IP addresses.
- Authentication events associating remote requests with the init user outside expected node-to-node communication windows.
Detection Strategies
- Inspect Nginx UI and reverse proxy logs for GET /api/settings calls correlated with low-privilege user identifiers.
- Alert on any use of X-Node-Secret or node_secret originating from client networks rather than trusted node subnets.
- Baseline normal trusted-node traffic patterns and flag deviations in volume or geography.
Monitoring Recommendations
- Forward Nginx UI access and audit logs to a centralized logging platform for retention and correlation.
- Build queries that join settings endpoint access with subsequent administrative API calls under the init user.
- Monitor for configuration changes performed by init shortly after a /api/settings read.
How to Mitigate CVE-2026-42220
Immediate Actions Required
- Upgrade Nginx UI to version 2.3.8 or later without delay.
- Rotate the node.secret value after upgrading to invalidate any previously exposed credential.
- Audit all existing user accounts in Nginx UI and remove any unnecessary or stale accounts.
- Review historical access logs for prior calls to GET /api/settings from non-admin users.
Patch Information
The maintainers fixed CVE-2026-42220 in Nginx UI version 2.3.8. Download the patched release from the Nginx UI v2.3.8 release page. The accompanying GitHub Security Advisory GHSA-7jrr-xw9c-mj39 documents the affected versions and remediation.
Workarounds
- Restrict access to the Nginx UI management interface to trusted administrator networks using firewall rules or a reverse proxy ACL.
- Block external requests carrying the X-Node-Secret header or node_secret query parameter at the upstream proxy.
- Limit Nginx UI account creation and require strong authentication for any user permitted to reach the API.
# Example reverse proxy rule to block external use of the trusted-node header
location /api/ {
if ($http_x_node_secret) { return 403; }
if ($arg_node_secret) { return 403; }
proxy_pass http://nginx_ui_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
