Serialization Flaw in Nginx UI Exposes Sensitive Data
CVE-2026-42223

6.5MEDIUM

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-42223?

The Nginx UI, a web interface for managing Nginx servers, contains a serious vulnerability in its GetSettings API handler. This issue allows authenticated users to access sensitive configuration settings that should be protected. Although certain fields are tagged as protected during write operations, this protection does not extend to read operations. Consequently, critical fields such as JwtSecret, NodeSecret, and OIDC ClientSecret can be exposed, leading to potential authorization token forgery, cluster node impersonation, and OAuth account takeovers. This vulnerability has been addressed in Nginx UI version 2.3.8.

Affected Version(s)

nginx-ui < 2.3.8

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8

x_refsource_MISC

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 25, 2026

CVE-2026-42223 Data

JSON

0xjacky

What is CVE-2026-42223?

Affected Version(s)

References

CVSS V3.1

Timeline