High severity8.1NVD Advisory· Published Apr 20, 2026· Updated Apr 22, 2026
CVE-2026-33031
CVE-2026-33031
Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/0xJacky/Nginx-UIGo | < 1.9.10-0.20260314152518-7b66578adb47 | 1.9.10-0.20260314152518-7b66578adb47 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2vnvdExploitVendor AdvisoryWEB
- github.com/advisories/GHSA-x234-x5vq-cc2vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-33031ghsaADVISORY
- github.com/0xJacky/nginx-ui/commit/7b66578adb47bbec839b621a4666495249379174ghsaWEB
- github.com/0xJacky/nginx-ui/releases/tag/v2.3.4ghsaWEB
News mentions
0No linked articles in our index yet.