DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-33031: CVE-2026-33031: Improper Access Control via Stateless JWT Validation in Nginx UI

#security #cve #cybersecurity

CVE-2026-33031: Improper Access Control via Stateless JWT Validation in Nginx UI

Vulnerability ID: CVE-2026-33031
CVSS Score: 8.6
Published: 2026-04-21

Nginx UI versions prior to 2.3.4 contain an improper access control vulnerability resulting from incomplete JSON Web Token (JWT) validation. The application verifies the cryptographic signature and expiration of API tokens but fails to perform a stateful check against the underlying user database to confirm the account remains active. An attacker with a previously issued JWT can maintain full administrative access to the Nginx UI management interface even after their account is disabled by an administrator.

TL;DR

A flaw in Nginx UI (< 2.3.4) allows disabled users to retain access using unexpired JWTs. The system fails to check user account status during API request validation, enabling privilege escalation and persistence.

Technical Details

  • CWE ID: CWE-284, CWE-863
  • Attack Vector: Network
  • CVSS 4.0 Score: 8.6
  • Impact: High Confidentiality, High Integrity (Privilege Escalation)
  • EPSS Percentile: 11.57%
  • Exploit Status: None (No public PoC)
  • CISA KEV: Not Listed

Affected Systems

  • Nginx UI
  • Nginx UI: < 2.3.4 (Fixed in: 2.3.4)

Code Analysis

Commit: 7b66578

Fix: introduce stateful JWT validation, cache purging, and token deletion logic for suspended users.

Mitigation Strategies

  • Upgrade Nginx UI to version 2.3.4 or later.
  • Rotate the application's JwtSecret if immediate patching is not feasible.
  • Audit the Nginx UI user database for unauthorized account creation.
  • Review Nginx configuration files for unauthorized routing changes or TLS modifications.

Remediation Steps:

  1. Download the Nginx UI version 2.3.4 release binary or pull the latest Docker image.
  2. Backup the existing Nginx UI database and configuration files.
  3. Deploy the new version and verify that the application service starts correctly.
  4. Log in as an administrator, disable a test account, and verify that the test account's active sessions are immediately terminated.

References

Read the full report for CVE-2026-33031 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)