Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
Published: 2026-04-20
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: Continued API access after user disabling (Authorization bypass)
Action: Apply Patch
AI Analysis

Impact

A previously issued bearer token remains valid for the entire token lifetime even after the associated user account is disabled by an administrator. This flaw allows an attacker who has obtained a JWT to continue reading and modifying protected resources, bypassing the intended access revocation. The weakness is classified as CWE‑284 and CWE‑863, indicating an improper authorization state and an authentication bypass token issue.

Affected Systems

The vulnerability affects Nginx UI, a web interface for the Nginx web server, when deployed before version 2.3.4. The affected product is managed by the 0xJacky project.

Risk and Exploitability

The CVSS score of 8.6 highlights a high severity due to the persistence of unauthorized access. While no EPSS score is available and the issue is not listed in CISA KEV, the potential for exploitation is significant. An attacker must obtain a valid JWT—typically through compromising the user account, phishing, or other credential theft—before the account is disabled. Once disabled, the attacker can continue to use the token until its expiry, potentially creating new accounts and escalating privileges. The attack vector is therefore inferred to be a post‑compromise use of a retained token.

Generated by OpenCVE AI on April 21, 2026 at 00:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nginx UI to version 2.3.4 or later. The patch removes the flaw that allows disabled users to keep bearer token validity.
  • Revoke or rotate all bearer tokens for users that have been disabled. Although the product does not automatically revoke tokens, manual revocation is a safe workaround.
  • Implement monitoring for anomalous API activity, such as continued requests from known disabled accounts, and configure alerts to detect potential misuse.

Generated by OpenCVE AI on April 21, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
Title Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
Weaknesses CWE-284
CWE-863
References
Metrics cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

0xjacky Nginx-ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T20:12:07.905Z

Reserved: 2026-03-17T17:22:14.669Z

Link: CVE-2026-33031

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T21:16:32.783

Modified: 2026-04-20T21:16:32.783

Link: CVE-2026-33031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:15:16Z

Weaknesses