{"uuid": "3f598517-8c86-4e7b-960f-6d72ea5f4adb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42220", "type": "seen", "source": "https://gist.github.com/alon710/26efd138450d4334005446be8418f3bc", "content": "# CVE-2026-42220: CVE-2026-42220: Privilege Escalation via Information Disclosure in Nginx UI\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42220\n\n## Summary\nAn information disclosure vulnerability in Nginx UI prior to version 2.3.8 allows authenticated users to extract the internal node secret. This secret can subsequently be abused to bypass authorization checks and escalate privileges to the administrative init user.\n\n## TL;DR\nLow-privileged authenticated users can retrieve the system's `node.secret` via the `/api/settings` endpoint. This secret can then be passed in the `X-Node-Secret` header to execute actions as the administrative init user.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE IDs**: CWE-200, CWE-863\n- **Attack Vector**: Network\n- **Authentication**: Required (Low Privilege)\n- **CVSS Score**: 6.5 / 7.5\n- **EPSS Score**: 0.00028\n- **Exploit Status**: Public PoC\n- **Impact**: Privilege Escalation\n\n## Affected Systems\n\n- Nginx UI versions < 2.3.8\n- **nginx-ui**: < 2.3.8 (Fixed in: `2.3.8`)\n\n## Mitigation\n\n- Upgrade Nginx UI to version 2.3.8 or later.\n- Rotate internal node secrets to invalidate previously leaked keys.\n- Rotate JWT signing secrets to invalidate any forged sessions.\n- Restrict network access to the Nginx UI management port.\n\n**Remediation Steps:**\n1. Download the v2.3.8 release or update the Docker image to the latest stable tag.\n2. Stop the Nginx UI service.\n3. Locate and open the app.ini configuration file.\n4. Generate new, random cryptographic values for node.secret and app.jwt_secret.\n5. Update the app.ini file with the new secret values.\n6. Start the Nginx UI service.\n7. Verify that low-privileged user accounts can no longer access administrative endpoints.\n\n## References\n\n- [Official Release v2.3.8](https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8)\n- [GitHub Security Advisory: GHSA-7jrr-xw9c-mj39](https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39)\n- [Mitre CVE Record: CVE-2026-42220](https://www.cve.org/CVERecord?id=CVE-2026-42220)\n- [Patch Commit: 80a6a7273d43dedbd6404662893fe862a2c14bf5](https://github.com/0xJacky/nginx-ui/commit/80a6a7273d43dedbd6404662893fe862a2c14bf5)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42220) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T21:10:29.000000Z"}