Description
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Published: 2026-03-30
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: Unauthorized access and modification of other users' resources through authentication bypass.
Action: Assess Impact
AI Analysis

Impact

Nginx UI versions 2.3.3 and earlier contain an Insecure Direct Object Reference flaw that permits any authenticated user to read, change, or delete other users' data. The vulnerability stems from missing ownership checks on resource endpoints, allowing complete authorization bypass. Attackers can take control of other users’ accounts, manipulate configurations, and potentially steal sensitive DNS API tokens or ACME private keys stored by other users.

Affected Systems

The affected product is 0xJacky’s nginx-ui, specifically all releases 2.3.3 and below.

Risk and Exploitability

The flaw receives a high severity CVSS score of 8.8, indicating substantial impact if exploited. No EPSS data is available, and it is not listed in CISA’s KEV catalog, suggesting that exploitable code has not yet been widely recorded. The attack vector is inferred to be authenticated access to the UI; an attacker must first log in to the web interface to trigger the bypass. Once authenticated, the attacker can perform unauthorized CRUD operations on any resource.

Generated by OpenCVE AI on March 30, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or remove the vulnerable nginx-ui installation until a vendor patch becomes available.
  • Restrict authenticated UI access to only trusted, high‑privileged users or enforce role‑based access control to limit actions.
  • Audit all existing DNS API tokens and ACME private keys, revoke compromised credentials, and regenerate new ones.
  • Monitor system logs for unauthorized modifications or unexpected token usage.
  • Apply the vendor‑released fix or upgrade to a patched version as soon as it is released.

Generated by OpenCVE AI on March 30, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hf2-vhj6-gj9m nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
History

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Title Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys
Weaknesses CWE-639
CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T17:58:54.381Z

Reserved: 2026-03-17T17:22:14.669Z

Link: CVE-2026-33030

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T18:16:19.243

Modified: 2026-03-30T18:16:19.243

Link: CVE-2026-33030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:21Z

Weaknesses