Nginx UI Authenticated Settings Disclosure Vulnerability Allowing Trusted-Node Authentication Abuse and Backup Exfiltration

A vulnerability in Nginx UI prior to version 2.3.8 allows authenticated users to access sensitive configuration data, including the node.secret, through the GET /api/settings endpoint. This node.secret can be used to bypass standard authentication and access privileged actions via the trusted-node path, such as downloading backup archives and restoring Nginx UI state, which can disrupt normal operations. The issue arises because the settings endpoint lacks proper authorization controls and exposes sensitive data that can be reused to gain unauthorized access to critical functionalities.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive configuration values, including node secrets and JWT signing secrets, which can be used to manipulate application state and bypass normal authentication mechanisms. The vulnerability also allows for unauthorized access to backup archives, including decryption materials, and the ability to restore application state from backups, potentially disrupting normal operations.

Reproduction

The vulnerability can be reproduced by authenticating to the Nginx UI web interface and then sending a request to the GET /api/settings endpoint. The response will include sensitive information such as node.secret and app.jwt_secret. After obtaining the node.secret, it can be reused in a request to the same endpoint, successfully retrieving the sensitive data again. Additionally, the node.secret can be used to access the backup endpoint, download a backup archive, and invoke the restore workflow, rolling back Nginx UI state and configuration.

Remediation

Users are advised to update Nginx UI to version 2.3.8 or later, where this vulnerability has been patched.