CVE-2026-42220

CVSS v2.0

6.8

Medium

Vector

AV:N/AC:L/Au:S/C:C/I:N/A:N

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.8

Description An authenticated user can access the 'GET /api/settings' endpoint to retrieve sensitive configuration values, such as node.secret. This secret is accepted by the AuthRequired() function via the 'X-Node-Secret' header or the node secret query parameter, allowing requests to be treated as authenticated through the trusted-node path and associated with the init user.

Recommendations Update to version 2.3.8.

Exploit

Fix

Information Disclosure

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200CWE-863

Related Identifiers

BDU:2026-06342

CVE-2026-42220

GHSA-7JRR-XW9C-MJ39

Affected Products

Nginx-Ui

CVE-2026-42220

Weakness Enumeration

Related Identifiers

Affected Products

References · 11