Description
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Published: 2026-03-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Authorization Bypass
Action: Assess Impact
AI Analysis

Impact

The vulnerability is an Insecure Direct Object Reference that allows any authenticated user in a multi‑user environment to read, modify, or delete resources belonging to other users. It arises because the base model in Nginx UI does not include a user identifier, and each resource endpoint queries by ID alone without verifying ownership, enabling a complete authorization bypass. The result is a compromise of confidentiality, integrity, and availability of other users’ data. The weakness is classified as CWE‑639 and includes mention of CWE‑78, indicating potential unsafe system calls that could be influenced by attackers.

Affected Systems

Nginx UI, a web user interface for the Nginx server released by 0xJacky, is affected for versions 2.3.3 and earlier. No other vendors or product versions are listed in the CVE entry, so only this product and version range are impacted.

Risk and Exploitability

The CVSS score of 8.8 marks the issue as high severity, but the EPSS score of less than 1% suggests a low probability that it is currently being exploited. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires that an attacker first authenticate to the Nginx UI; once logged in, they can target arbitrary resource identifiers to access or alter other users’ data. No patch is publicly available at the time of publication, leaving the risk active until a fix is released.

Generated by OpenCVE AI on April 2, 2026 at 04:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Identify all installations of Nginx UI 2.3.3 and earlier and verify if the application runs in a multi‑user setting.
  • Restrict or disable multi‑user mode until a vendor patch becomes available, or isolate user resources to enforce proper authorization.
  • If feasible, replace Nginx UI with an alternative that provides per‑user access controls.
  • Log all API and UI activity and monitor for anomalous resource access patterns.
  • Contact 0xJacky for patch updates and apply any released fix as soon as possible.

Generated by OpenCVE AI on April 2, 2026 at 04:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5hf2-vhj6-gj9m nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Tue, 31 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Title Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys
Weaknesses CWE-639
CWE-78
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T19:09:45.914Z

Reserved: 2026-03-17T17:22:14.669Z

Link: CVE-2026-33030

cve-icon Vulnrichment

Updated: 2026-03-31T19:07:31.225Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T18:16:19.243

Modified: 2026-04-01T18:21:15.343

Link: CVE-2026-33030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:09Z

Weaknesses