Cross-Site WebSocket Hijacking Vulnerability in Nginx UI by Nginx
CVE-2026-34403

5.5MEDIUM

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 20 April 2026

What is CVE-2026-34403?

Nginx UI, a web user interface for managing Nginx, had an important security flaw prior to version 2.3.5. All WebSocket endpoints in affected versions utilized a gorilla/websocket Upgrader that accepted requests from any origin without proper validation. This created a pathway for attackers to exploit using authenticated connections. Furthermore, authentication tokens saved in browser cookies lacked the HttpOnly and SameSite attributes, complicating the security posture during user sessions. If a logged-in administrator inadvertently visited a malicious site, attackers could hijack authenticated WebSocket connections to the Nginx UI instance. The vulnerability has been addressed in version 2.3.5, which ensures stronger security features to prevent unauthorized access.

Affected Version(s)

nginx-ui < 2.3.5

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5

x_refsource_MISC

CVSS V4

Score:

5.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 20, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34403 Data

JSON

0xjacky

What is CVE-2026-34403?

Affected Version(s)

References

CVSS V4

Timeline