πŸ” CVE Alert

CVE-2026-33031

UNKNOWN 0.0

Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.

CWE CWE-284 CWE-863
Vendor 0xjacky
Product nginx-ui
Published Apr 20, 2026
Stay Ahead of the Next One

Get instant alerts for 0xjacky nginx-ui

Be the first to know when new unknown vulnerabilities affecting 0xjacky nginx-ui are published β€” delivered to Slack, Telegram or Discord.

Get Free Alerts β†’ Free Β· No credit card Β· 60 sec setup

Affected Versions

0xJacky / nginx-ui
< 2.3.4

References

NVD β†— CVE.org β†— EPSS Data β†—
github.com: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v