Sensitive Configuration Disclosure in Nginx UI by Nginx
CVE-2026-42220

6.5MEDIUM

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42220?

Nginx UI, a web user interface for managing Nginx web servers, has a vulnerability affecting versions prior to 2.3.8. An authenticated user can exploit this issue by accessing the GET /api/settings endpoint, allowing them to retrieve sensitive configuration values such as node.secret. This exposed node.secret can be misused to authenticate requests via the trusted-node path, posing a significant risk to system confidentiality and integrity. The issue has been addressed in the release of version 2.3.8.

Affected Version(s)

nginx-ui < 2.3.8

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42220 Data

JSON

0xjacky

What is CVE-2026-42220?

Affected Version(s)

References

CVSS V3.1

Timeline