CVE-2026-42223: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in 0xJacky nginx-ui
CVE-2026-42223 is a vulnerability in 0xJacky's nginx-ui prior to version 2.3.8 where the GetSettings API handler exposes over 40 sensitive configuration fields to authenticated users. These fields include JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configurations. The issue arises because the protection tag on sensitive fields is enforced only during writes but ignored during reads, leading to unintended disclosure of sensitive information. This vulnerability has been patched in version 2.3.8. The CVSS score is 6.5, indicating a medium severity level.
AI Analysis
Technical Summary
The vulnerability in nginx-ui versions before 2.3.8 involves the GetSettings API handler serializing all settings structs to JSON and returning them to authenticated users without properly enforcing the 'protected' tag on sensitive fields during reads. This results in exposure of sensitive data such as JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configurations. The flaw is due to the protection mechanism only being applied during writes (via ProtectedFill in SaveSettings) but not during reads, allowing unauthorized access to sensitive information. The issue was fixed in version 2.3.8.
Potential Impact
Exposure of sensitive configuration data including authentication secrets (JwtSecret), cluster node secrets (NodeSecret), OAuth client secrets (OIDC ClientSecret), and IP whitelist settings to any authenticated user. This could enable token forgery, cluster node impersonation, OAuth account takeover, and bypass of IP-based access controls. There is no indication of active exploitation in the wild.
Mitigation Recommendations
Upgrade nginx-ui to version 2.3.8 or later where this issue is patched. Since the vulnerability is fixed in the official release, applying this update fully mitigates the risk. No other vendor advisories indicate alternative mitigations or that no action is required.
CVE-2026-42223: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in 0xJacky nginx-ui
Description
CVE-2026-42223 is a vulnerability in 0xJacky's nginx-ui prior to version 2.3.8 where the GetSettings API handler exposes over 40 sensitive configuration fields to authenticated users. These fields include JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configurations. The issue arises because the protection tag on sensitive fields is enforced only during writes but ignored during reads, leading to unintended disclosure of sensitive information. This vulnerability has been patched in version 2.3.8. The CVSS score is 6.5, indicating a medium severity level.
CVSS v3.1
Score 6.5medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in nginx-ui versions before 2.3.8 involves the GetSettings API handler serializing all settings structs to JSON and returning them to authenticated users without properly enforcing the 'protected' tag on sensitive fields during reads. This results in exposure of sensitive data such as JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configurations. The flaw is due to the protection mechanism only being applied during writes (via ProtectedFill in SaveSettings) but not during reads, allowing unauthorized access to sensitive information. The issue was fixed in version 2.3.8.
Potential Impact
Exposure of sensitive configuration data including authentication secrets (JwtSecret), cluster node secrets (NodeSecret), OAuth client secrets (OIDC ClientSecret), and IP whitelist settings to any authenticated user. This could enable token forgery, cluster node impersonation, OAuth account takeover, and bypass of IP-based access controls. There is no indication of active exploitation in the wild.
Mitigation Recommendations
Upgrade nginx-ui to version 2.3.8 or later where this issue is patched. Since the vulnerability is fixed in the official release, applying this update fully mitigates the risk. No other vendor advisories indicate alternative mitigations or that no action is required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:37:12.116Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f90348cbff5d8610482e41
Added to database: 5/4/2026, 8:36:24 PM
Last enriched: 5/12/2026, 6:25:02 AM
Last updated: 6/18/2026, 7:56:33 AM
Views: 143
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.