Access Control Flaw in Nginx UI Affects User Authentication Integrity
CVE-2026-33031

8.6HIGH

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-33031?

Nginx UI, a web-based interface for managing Nginx servers, suffers from an access control vulnerability that allows users who have been disabled by administrators to continue using previously issued API tokens. This security gap enables an attacker, with access to a compromised token, to retain entry to protected resources even after their account is marked as disabled. Consequently, attackers could exploit this flaw to modify data or create new accounts with the same privileges. The issue is addressed in version 2.3.4, which requires immediate upgrading to ensure the security of user accounts and API interactions.

Affected Version(s)

nginx-ui < 2.3.4

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Mar 17, 2026

CVE-2026-33031 Data

JSON

0xjacky

What is CVE-2026-33031?

Affected Version(s)

References

CVSS V4

Timeline