Insecure Direct Object Reference in Nginx UI Web Interface
CVE-2026-33030

8.8HIGH

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-33030?

Nginx UI, the web user interface for Nginx, is affected by an Insecure Direct Object Reference vulnerability. Authenticated users can exploit this flaw to gain unauthorized access, modification, or deletion of resources owned by other users. Due to the lack of a user_id field in the application's main Model struct, it fails to verify ownership for resource queries, leading to a security lapse in multi-user settings. As of now, there are no publicly available patches to rectify this issue, which could potentially allow further exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nginx-ui <= 2.3.3

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 17, 2026

JSON

0xjacky

What is CVE-2026-33030?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.