Medium severity6.5NVD Advisory· Published May 4, 2026· Updated May 6, 2026
CVE-2026-42220
CVE-2026-42220
Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/0xJacky/Nginx-UIGo | <= 1.9.9 | — |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39nvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-7jrr-xw9c-mj39ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42220ghsaADVISORY
- github.com/0xJacky/nginx-ui/releases/tag/v2.3.8nvdRelease NotesWEB
News mentions
0No linked articles in our index yet.