GHSA-7JRR-XW9C-MJ39 Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

Summary An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...

Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

Summary An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...

Nginx-UI: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

An authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret query parameter, causing the request to be treated as authenticated via the...

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization in the GET /api/settings process. An attacker can obtain sensitive configuration values, such as node.secret, by making authenticated requests, and subsequently abuse trusted-node authentication, exfiltrate...

CVE-2026-42220

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...

CVE-2026-42220 nginx-ui: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...

CVE-2026-42220 nginx-ui: Authenticated settings disclosure exposes node.secret and enables trusted-node authentication abuse, backup exfiltration, and restore-based nginx-ui state rollback

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired through the X-Node-Secret header or nodesecret...

CVE-2026-42220

Nginx UI (nginx-ui) prior to version 2.3.8 exposes a vulnerability where an authenticated user can call GET /api/settings to retrieve sensitive values, including node.secret. The node.secret is accepted by AuthRequired() via the X-Node-Secret header (or node_secret query parameter), allowing the ...

PT-2026-36920

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.8 Description An authenticated user can access the 'GET /api/settings' endpoint to retrieve sensitive configuration values, such as node.secret. This secret is accepted by the AuthRequired function via the...

SUSE SLES12 Security Update : icinga2 (SUSE-SU-2025:02783-1)

The remote SUSE Linux SLES12 / SLESSAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:02783-1 advisory. - CVE-2025-48057: A certificate incorrectly treated as valid can allow an attacker to impersonate a trusted node bsc1243747. Tenable has...

Security update for icinga2

This update for icinga2 fixes the following issues: CVE-2025-48057: A certificate incorrectly treated as valid can allow an attacker to impersonate a trusted node bsc1243747. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or...

SUSE-SU-2025:02783-1 Security update for icinga2

This update for icinga2 fixes the following issues: - CVE-2025-48057: A certificate incorrectly treated as valid can allow an attacker to impersonate a trusted node bsc1243747...

A trusted node has the ability to submit the ExchangeRate multiple times for a single reportingBlockNumber.

Lines of code Vulnerability details Impact In this code, a trusted node can submit data several times. The trusted node can submit ExchangeRateData and then it can submit different data again about same reportingBlockNumber. This will occur mess of staderOracle contract, so it will be needed to b...