CVE-2026-42223

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.8

Description The GetSettings API handler in the api/settings/settings.go file serializes all settings structs to JSON and returns them to authenticated users. While many sensitive fields are marked as protected, this restriction is only applied during write operations via the SaveSettings function and is ignored during read operations. This results in the exposure of over 40 protected fields, including JwtSecret, which allows for authentication token forgery; NodeSecret, which enables cluster node impersonation; OIDC ClientSecret, which allows for OAuth account takeover; and the IP whitelist configuration.

Recommendations Update to version 2.3.8.