CVE-2026-42223: Authenticated Sensitive Information Disclosure in Nginx UI Vulnerability ID: CVE-2026-42223 CVSS Score: 6.5 Published: 2026-05-06 Nginx UI versions prior to 2.3.8 suffer from an asymmetric security control enforcement vulnerability. Go's standard JSON marshaler ignores custom struct tags meant to protect sensitive configuration fields, leading to the exposure of JWT secrets, node secrets, and OIDC client credentials to any authenticated user. This allows privilege escalation to full administrator. TL;DR Any authenticated user can retrieve administrative secrets (including the JWT signing key) due to flawed struct serialization, enabling total application compromise and privilege escalation.…