AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-q4w7-56hr-83rm: Nginx-UI Settings API Exposes Protected Secrets

mediumvulnerability

security

Source: GitHub Advisory DatabaseMay 6, 2026CVE-2026-42223

Summary

Nginx-UI's GetSettings API endpoint returns all configuration settings to authenticated users, including 40+ sensitive fields marked as protected (like JwtSecret for forging auth tokens, NodeSecret for impersonating cluster nodes, and OIDC ClientSecret for OAuth takeover). The protection mechanism only works when saving settings, not when reading them, because the custom `protected:"true"` tag is ignored by Go's JSON serialization.

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

May 6, 2026

Classification

Attack SophisticationModerate

Affected Packages

github.com/0xJacky/nginx-ui@<= 2.3.7 (fixed: 2.3.8)

Monthly digest — independent AI security research

Original source: https://github.com/advisories/GHSA-q4w7-56hr-83rm

First tracked: May 6, 2026 at 02:00 PM

Classified by LLM (prompt v3) · confidence: 95%