CVE-2026-42223: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in 0xJacky nginx-ui
CVE-2026-42223 is a vulnerability in 0xJacky's nginx-ui prior to version 2. 3. 8 where the GetSettings API improperly exposes sensitive configuration fields to authenticated users. Although these fields are marked as protected, the protection is only enforced during writes, not reads, leading to exposure of secrets such as JwtSecret, NodeSecret, and OIDC ClientSecret. This exposure can enable unauthorized actions like token forgery and OAuth account takeover. The vulnerability has a CVSS score of 6. 5 (medium severity) and was fixed in version 2. 3. 8.
AI Analysis
Technical Summary
The vulnerability exists in the GetSettings API handler of nginx-ui before version 2.3.8. When authenticated users request settings, the API serializes all settings to JSON and returns them without enforcing the 'protected' tag on sensitive fields during reads. This results in exposure of over 40 sensitive fields including JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configurations. These exposed secrets could allow attackers to forge authentication tokens, impersonate cluster nodes, or take over OAuth accounts. The issue was addressed in version 2.3.8 by properly enforcing protection on sensitive fields during reads.
Potential Impact
The exposure of sensitive configuration data such as JwtSecret, NodeSecret, and OIDC ClientSecret can lead to serious security consequences including authentication token forgery, cluster node impersonation, and OAuth account takeover. This compromises the confidentiality of critical secrets and could allow unauthorized actors to bypass authentication controls or escalate privileges within the system. The vulnerability affects all versions of nginx-ui prior to 2.3.8.
Mitigation Recommendations
A fix is available in nginx-ui version 2.3.8 which properly enforces protection of sensitive fields during read operations. Users should upgrade to version 2.3.8 or later to remediate this vulnerability. Since this is not a cloud service, remediation requires applying the vendor's patch. Patch status is confirmed by the vendor advisory indicating the issue is fixed in 2.3.8.
CVE-2026-42223: CWE-200: Exposure of Sensitive Information to an Unauthorized Actor in 0xJacky nginx-ui
Description
CVE-2026-42223 is a vulnerability in 0xJacky's nginx-ui prior to version 2. 3. 8 where the GetSettings API improperly exposes sensitive configuration fields to authenticated users. Although these fields are marked as protected, the protection is only enforced during writes, not reads, leading to exposure of secrets such as JwtSecret, NodeSecret, and OIDC ClientSecret. This exposure can enable unauthorized actions like token forgery and OAuth account takeover. The vulnerability has a CVSS score of 6. 5 (medium severity) and was fixed in version 2. 3. 8.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability exists in the GetSettings API handler of nginx-ui before version 2.3.8. When authenticated users request settings, the API serializes all settings to JSON and returns them without enforcing the 'protected' tag on sensitive fields during reads. This results in exposure of over 40 sensitive fields including JwtSecret, NodeSecret, OIDC ClientSecret, and IP whitelist configurations. These exposed secrets could allow attackers to forge authentication tokens, impersonate cluster nodes, or take over OAuth accounts. The issue was addressed in version 2.3.8 by properly enforcing protection on sensitive fields during reads.
Potential Impact
The exposure of sensitive configuration data such as JwtSecret, NodeSecret, and OIDC ClientSecret can lead to serious security consequences including authentication token forgery, cluster node impersonation, and OAuth account takeover. This compromises the confidentiality of critical secrets and could allow unauthorized actors to bypass authentication controls or escalate privileges within the system. The vulnerability affects all versions of nginx-ui prior to 2.3.8.
Mitigation Recommendations
A fix is available in nginx-ui version 2.3.8 which properly enforces protection of sensitive fields during read operations. Users should upgrade to version 2.3.8 or later to remediate this vulnerability. Since this is not a cloud service, remediation requires applying the vendor's patch. Patch status is confirmed by the vendor advisory indicating the issue is fixed in 2.3.8.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-25T05:37:12.116Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f90348cbff5d8610482e41
Added to database: 5/4/2026, 8:36:24 PM
Last enriched: 5/4/2026, 8:51:35 PM
Last updated: 5/4/2026, 9:38:08 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.