The nginx-ui web interface for the Nginx web server contains an information exposure vulnerability (CWE-200) combined with improper authorization (CWE-863) in versions before 2.3.8. Authenticated users can access the GET /api/settings endpoint to obtain sensitive configuration data, notably the node.secret. This secret is accepted by the AuthRequired() function via the X-Node-Secret header or node_secret query parameter, allowing the request to be treated as authenticated through a trusted-node mechanism and associated with the init user, effectively elevating privileges. This vulnerability has a CVSS 3.1 base score of 6.5 (medium severity) and was fixed in version 2.3.8.

An authenticated user can expose sensitive configuration information, including node.secret, which can be leveraged to bypass normal authentication controls and gain elevated access as a trusted node with init user privileges. This could lead to unauthorized access to administrative functions without further authentication. There are no known exploits in the wild at this time.

Upgrade nginx-ui to version 2.3.8 or later, where this vulnerability has been patched. Since this is a product vulnerability and not a cloud service, applying the official fix is necessary to remediate the issue. No alternative mitigations are indicated in the advisory.