CVE-2026-42220

MEDIUM SEVERITY

CVSS Score & Metrics

Base Score

6.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N                                    

Vulnerability Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.

Vulnerability Details

Published Date

May 04, 2026

Last Modified

May 06, 2026

CWE ID

CWE-200

Source

NVD

Vendor

0xJacky

Product

nginx-ui

External References

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39

CVE-2026-42220

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment