{"vulnerability": "cve-2026-4222", "sightings": [{"uuid": "3f598517-8c86-4e7b-960f-6d72ea5f4adb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42220", "type": "seen", "source": "https://gist.github.com/alon710/26efd138450d4334005446be8418f3bc", "content": "# CVE-2026-42220: CVE-2026-42220: Privilege Escalation via Information Disclosure in Nginx UI\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-05\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42220\n\n## Summary\nAn information disclosure vulnerability in Nginx UI prior to version 2.3.8 allows authenticated users to extract the internal node secret. This secret can subsequently be abused to bypass authorization checks and escalate privileges to the administrative init user.\n\n## TL;DR\nLow-privileged authenticated users can retrieve the system's `node.secret` via the `/api/settings` endpoint. This secret can then be passed in the `X-Node-Secret` header to execute actions as the administrative init user.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE IDs**: CWE-200, CWE-863\n- **Attack Vector**: Network\n- **Authentication**: Required (Low Privilege)\n- **CVSS Score**: 6.5 / 7.5\n- **EPSS Score**: 0.00028\n- **Exploit Status**: Public PoC\n- **Impact**: Privilege Escalation\n\n## Affected Systems\n\n- Nginx UI versions < 2.3.8\n- **nginx-ui**: < 2.3.8 (Fixed in: `2.3.8`)\n\n## Mitigation\n\n- Upgrade Nginx UI to version 2.3.8 or later.\n- Rotate internal node secrets to invalidate previously leaked keys.\n- Rotate JWT signing secrets to invalidate any forged sessions.\n- Restrict network access to the Nginx UI management port.\n\n**Remediation Steps:**\n1. Download the v2.3.8 release or update the Docker image to the latest stable tag.\n2. Stop the Nginx UI service.\n3. Locate and open the app.ini configuration file.\n4. Generate new, random cryptographic values for node.secret and app.jwt_secret.\n5. Update the app.ini file with the new secret values.\n6. Start the Nginx UI service.\n7. Verify that low-privileged user accounts can no longer access administrative endpoints.\n\n## References\n\n- [Official Release v2.3.8](https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8)\n- [GitHub Security Advisory: GHSA-7jrr-xw9c-mj39](https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39)\n- [Mitre CVE Record: CVE-2026-42220](https://www.cve.org/CVERecord?id=CVE-2026-42220)\n- [Patch Commit: 80a6a7273d43dedbd6404662893fe862a2c14bf5](https://github.com/0xJacky/nginx-ui/commit/80a6a7273d43dedbd6404662893fe862a2c14bf5)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42220) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-05T21:10:29.000000Z"}, {"uuid": "b1f2f088-7e5c-43a5-a5f7-4b049cf0f0c0", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42221", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2mueqssi2e", "content": "\ud83d\udfe0 CVE-2026-42221 - High (8.1)\n\nNginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42221/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T21:35:14.556444Z"}, {"uuid": "bcbe7ab0-a207-44a2-a4b9-5da0b6620cb2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42222", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3ml2mumidmi2n", "content": "\ud83d\udfe0 CVE-2026-42222 - High (8.1)\n\nNginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated b...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42222/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-04T21:35:22.351977Z"}, {"uuid": "863af5f3-458b-4f1c-a36c-fc186905edb2", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42221", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3ml2q2ndiwr2i", "content": "CVE-2026-42221 - nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim\nCVE ID : CVE-2026-42221\n \n Published : May 4, 2026, 9:16 p.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : Nginx UI is a web user interface for the Nginx web server. From version 2.0.0...", "creation_timestamp": "2026-05-04T22:32:25.525214Z"}, {"uuid": "11e6a126-c731-45e2-85c1-40f2b124f3bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42223", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3ml2r63k5dk2e", "content": "CVE-2026-42223 - nginx-ui: Settings API Exposes Protected Secrets\nCVE ID : CVE-2026-42223\n \n Published : May 4, 2026, 9:16 p.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, the GetSettings API handl...", "creation_timestamp": "2026-05-04T22:52:14.667181Z"}, {"uuid": "269827d3-9635-448f-bcb6-f8d7b5c7da63", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42222", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3ml2rfr4mdo2n", "content": "CVE-2026-42222 - nginx-ui: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover\nCVE ID : CVE-2026-42222\n \n Published : May 4, 2026, 9:16 p.m. | 1\u00a0hour, 4\u00a0minutes ago\n \n Description : Nginx UI is a web user interface for the Nginx web...", "creation_timestamp": "2026-05-04T22:56:32.208675Z"}, {"uuid": "b578038d-1ae3-4f4a-8a0e-ad81a9db6c3b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42220", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3ml2ropkdtu2p", "content": "CVE-2026-42220 - nginx-ui: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback\nCVE ID : CVE-2026-42220\n \n Published : May 4, 2026, 9:16 p.m. | 1\u00a0hour, 4\u00a0minutes ago\n...", "creation_timestamp": "2026-05-04T23:01:32.650480Z"}, {"uuid": "0107f002-98ed-4ea4-9256-cabf6f30a18e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42223", "type": "seen", "source": "https://gist.github.com/alon710/8f2a8c09229ab2a61f27e4872d065fac", "content": "# CVE-2026-42223: CVE-2026-42223: Authenticated Sensitive Information Disclosure in Nginx UI\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-06\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42223\n\n## Summary\nNginx UI versions prior to 2.3.8 suffer from an asymmetric security control enforcement vulnerability. Go's standard JSON marshaler ignores custom struct tags meant to protect sensitive configuration fields, leading to the exposure of JWT secrets, node secrets, and OIDC client credentials to any authenticated user. This allows privilege escalation to full administrator.\n\n## TL;DR\nAny authenticated user can retrieve administrative secrets (including the JWT signing key) due to flawed struct serialization, enabling total application compromise and privilege escalation.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-200\n- **Attack Vector**: Network\n- **CVSS Score**: 6.5\n- **EPSS Score**: 0.00031\n- **Impact**: Privilege Escalation / Information Disclosure\n- **Exploit Status**: Proof of Concept\n- **CISA KEV**: No\n\n## Affected Systems\n\n- Nginx UI backend API\n- Nginx UI Cluster Architecture\n- **Nginx UI**: < 2.3.8 (Fixed in: `2.3.8`)\n\n## Mitigation\n\n- Upgrade Nginx UI to version 2.3.8 or later.\n- Rotate all exposed secrets including JWT keys, Node secrets, OIDC Client Secrets, and third-party API tokens.\n- Monitor access logs for unauthorized access to the /api/settings endpoint.\n\n**Remediation Steps:**\n1. Download the latest Nginx UI release (v2.3.8).\n2. Stop the Nginx UI service.\n3. Replace the application binary with the updated version.\n4. Restart the Nginx UI service.\n5. Access the Nginx UI administrative panel and generate a new JWT signing secret.\n6. Navigate to the cluster configuration and rotate the node secrets across all instances.\n7. Update any external OAuth/OIDC providers with newly generated client secrets.\n\n## References\n\n- [GitHub Security Advisory GHSA-q4w7-56hr-83rm](https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-q4w7-56hr-83rm)\n- [NVD Record for CVE-2026-42223](https://nvd.nist.gov/vuln/detail/CVE-2026-42223)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42223) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-06T17:10:29.000000Z"}, {"uuid": "e4ab0392-5925-407a-9f1d-cc96863c38e6", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42221", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3ml7c63tf662q", "content": "\ud83d\udccc CVE-2026-42221 - Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim t... https://www.cyberhub.blog/cves/CVE-2026-42221", "creation_timestamp": "2026-05-06T18:07:08.426361Z"}, {"uuid": "595979e7-b845-439c-96a1-92833055f42f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42225", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3mlccz54qx72k", "content": "CVE-2026-42225 - GnuTLS backend silently skips certificate chain verification when verify_peer is false\nCVE ID : CVE-2026-42225\n \n Published : May 7, 2026, 8:16 p.m. | 2\u00a0hours, 4\u00a0minutes ago\n \n Description : PJSIP is a free and open source multimedia communication library writ...", "creation_timestamp": "2026-05-07T23:00:14.120411Z"}, {"uuid": "f64f5691-7186-40a1-a603-83b3aba27cd1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42222", "type": "seen", "source": "https://bsky.app/profile/cyberhub.blog/post/3ml7kkc2wue2v", "content": "\ud83d\udccc CVE-2026-42222 - Nginx UI is a web user interface for the Nginx web server. In version 2.3.5, an unauthenticated bootstrap takeover exists in nginx-ui during the initi... https://www.cyberhub.blog/cves/CVE-2026-42222", "creation_timestamp": "2026-05-06T20:37:06.658726Z"}, {"uuid": "57d99cbe-1e80-4766-98d8-60b818f6d0cf", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42228", "type": "seen", "source": "https://t.me/GithubRedTeam/83142", "content": "\ud83d\udea8 GitHub \u76d1\u63a7\u6d88\u606f\u63d0\u9192\n\n\ud83d\udea8 \u53d1\u73b0\u5173\u952e\u8bcd\uff1a #CVE-2026\n\n\ud83d\udce6 \u9879\u76ee\u540d\u79f0\uff1a CVE-2026-42228\n\ud83d\udc64 \u9879\u76ee\u4f5c\u8005\uff1a rudSarkar\n\ud83d\udee0 \u5f00\u53d1\u8bed\u8a00\uff1a None\n\u2b50 Star\u6570\u91cf\uff1a 0  |  \ud83c\udf74 Fork\u6570\u91cf\uff1a 0\n\ud83d\udcc5 \u66f4\u65b0\u65f6\u95f4\uff1a 2026-05-07 00:59:35\n\n\ud83d\udcdd \u9879\u76ee\u63cf\u8ff0\uff1a\n\u65e0\u63cf\u8ff0\n\n\ud83d\udd17 \u70b9\u51fb\u8bbf\u95ee\u9879\u76ee\u5730\u5740", "creation_timestamp": "2026-05-07T01:00:04.000000Z"}, {"uuid": "a1aa958c-d130-4124-be88-3de226dd3458", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42221", "type": "seen", "source": "https://t.me/bdufstecru/3142", "content": "\u0423\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u044c \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u0441\u043a\u043e\u0433\u043e \u0438\u043d\u0442\u0435\u0440\u0444\u0435\u0439\u0441\u0430 Nginx UI \u0441\u0435\u0440\u0432\u0435\u0440\u0430 nginx \u0441\u0432\u044f\u0437\u0430\u043d\u0430 \u0441 \u043e\u0442\u0441\u0443\u0442\u0441\u0442\u0432\u0438\u0435\u043c \u0430\u0443\u0442\u0435\u043d\u0442\u0438\u0444\u0438\u043a\u0430\u0446\u0438\u0438 \u0434\u043b\u044f \u043a\u0440\u0438\u0442\u0438\u0447\u043d\u043e\u0439 \u0444\u0443\u043d\u043a\u0446\u0438\u0438. \u042d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0438 \u043c\u043e\u0436\u0435\u0442 \u043f\u043e\u0437\u0432\u043e\u043b\u0438\u0442\u044c \u043d\u0430\u0440\u0443\u0448\u0438\u0442\u0435\u043b\u044e, \u0434\u0435\u0439\u0441\u0442\u0432\u0443\u044e\u0449\u0435\u043c\u0443 \u0443\u0434\u0430\u043b\u0435\u043d\u043d\u043e, \u0438\u0437\u043c\u0435\u043d\u044f\u0442\u044c \u0434\u0430\u043d\u043d\u044b\u0435 \u0432 \u0441\u0438\u0441\u0442\u0435\u043c\u0435\n\nBDU:2026-06343\nCVE-2026-42221\n\n\u0418\u0441\u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u0435 \u0440\u0435\u043a\u043e\u043c\u0435\u043d\u0434\u0430\u0446\u0438\u0439 \u043f\u0440\u043e\u0438\u0437\u0432\u043e\u0434\u0438\u0442\u0435\u043b\u044f:\nhttps://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h27v-ph7w-m9fp", "creation_timestamp": "2026-05-08T13:55:55.000000Z"}, {"uuid": "8d72d3c2-1ad4-4356-8387-9dbdf6942bdd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42224", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mlgzlgsxhl2k", "content": "\ud83d\udfe0 CVE-2026-42224 - High (7.6)\n\nipl/web is a set of common web components for php projects. Prior to version 0.13.1, the vulnerab...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42224/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-05-09T19:54:49.947524Z"}]}