CVE-2026-42223 Overview
CVE-2026-42223 is an information disclosure vulnerability in Nginx UI, a web user interface for managing the Nginx web server. Versions prior to 2.3.8 expose sensitive configuration data through the GetSettings API handler. The handler at api/settings/settings.go:24-65 serializes all settings structs to JSON and returns them to authenticated users. Fields tagged with protected:"true" are only enforced during writes, not reads. This exposes more than 40 protected fields to any authenticated user, including secrets used for authentication, cluster trust, and OAuth integration. The maintainers patched the issue in version 2.3.8.
Critical Impact
Authenticated users can retrieve JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configuration, enabling token forgery, cluster node impersonation, and OAuth account takeover.
Affected Products
- Nginx UI versions prior to 2.3.8
- nginxui:nginx_ui (all releases before the fix)
- Deployments using OIDC, cluster nodes, or JWT-based authentication are most exposed
Discovery Timeline
- 2026-05-04 - CVE-2026-42223 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-42223
Vulnerability Analysis
The flaw is an Exposure of Sensitive Information ([CWE-200]) in the Nginx UI settings API. The GetSettings handler at api/settings/settings.go:24-65 marshals the full settings object to JSON and returns it in the API response. Developers added a protected:"true" struct tag to mark fields that should never leave the server. However, the protection logic lives in ProtectedFill, which is invoked only by SaveSettings during writes. On read paths, the tag is ignored and every field is serialized.
An authenticated user with access to the settings endpoint receives more than 40 sensitive values in the response body. These include the JwtSecret used to sign authentication tokens, the NodeSecret used for inter-node trust in cluster mode, the OIDC ClientSecret used for upstream OAuth, and the IP whitelist used to restrict administrative access.
Root Cause
The protection model assumes a single enforcement point. Read serialization bypasses that point because the JSON encoder honors only standard json tags, not the custom protected tag. The result is asymmetric enforcement: writes are filtered, reads are not.
Attack Vector
An attacker needs valid authenticated access to the Nginx UI API. A low-privilege user, a stolen session cookie, or a compromised operator account is sufficient. The attacker issues a single request to the settings API and receives all secrets in the JSON response. With the JwtSecret they can forge administrative JWTs. With the NodeSecret they can impersonate a cluster node. With the OIDC ClientSecret they can pivot to identity provider abuse and account takeover.
No verified public exploit code is available. See the GitHub Security Advisory GHSA-q4w7-56hr-83rm for maintainer details.
Detection Methods for CVE-2026-42223
Indicators of Compromise
- Authenticated GET requests to the Nginx UI settings API endpoint from unexpected user accounts or IP addresses
- Outbound responses from Nginx UI containing field names such as JwtSecret, NodeSecret, or ClientSecret
- New JWTs issued to administrative accounts that were not produced by the legitimate login flow
- Cluster join or sync events from hosts not present in the inventory
Detection Strategies
- Inspect Nginx UI access logs for calls to the settings retrieval endpoint and correlate with the requesting principal
- Compare current Nginx UI version against 2.3.8 across all managed hosts to identify unpatched instances
- Monitor reverse proxy or WAF logs for response bodies that match the protected field signatures
Monitoring Recommendations
- Alert on any non-administrator account that queries the settings API
- Track changes to JWT issuance volume and source for the Nginx UI service
- Audit OIDC provider logs for unexpected use of the Nginx UI client credentials
How to Mitigate CVE-2026-42223
Immediate Actions Required
- Upgrade Nginx UI to version 2.3.8 or later on all hosts
- Rotate JwtSecret, NodeSecret, and OIDC ClientSecret after upgrade, assuming prior exposure
- Invalidate all existing JWT sessions and require re-authentication
- Review the IP whitelist and cluster node membership for unauthorized changes
Patch Information
The fix is included in Nginx UI v2.3.8. Refer to the GitHub Security Advisory GHSA-q4w7-56hr-83rm for the maintainer description and remediation guidance.
Workarounds
- Restrict access to the Nginx UI to a small set of trusted administrators using network controls and authenticated reverse proxy rules
- Place the Nginx UI behind a VPN or bastion until the patch is applied
- Reduce the number of accounts authorized to call administrative APIs to minimize the population that can read settings
# Verify installed version and upgrade if below 2.3.8
nginx-ui -v
# Example container upgrade
docker pull uozi/nginx-ui:2.3.8
docker stop nginx-ui && docker rm nginx-ui
docker run -d --name nginx-ui uozi/nginx-ui:2.3.8
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
