Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.
Published: 2026-04-20
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site WebSocket Hijacking enabling authenticated actions on nginx‑UI
Action: Patch immediately
AI Analysis

Impact

Based on the description, it is inferred that the likely attack vector involves a malicious webpage establishing a WebSocket connection to nginx‑UI. The flaw arises from nginx‑UI’s WebSocket endpoints using a gorilla/websocket Upgrader that unconditionally accepts any Origin header, effectively disabling origin validation. Consequently, a malicious webpage can open a WebSocket connection to an nginx‑UI instance and, if an administrator is already logged in, the browser will automatically supply the authentication cookie. Because this cookie is set via JavaScript without HttpOnly or SameSite attributes, client‑side scripts can also read it, allowing the attacker to impersonate the administrator and perform any action the legitimate user could, including altering configuration or uploading files.

Affected Systems

The vulnerability affects the nginx‑UI web user interface developed by 0xJacky. All releases prior to version 2.3.5 are vulnerable; the issue was fixed in release 2.3.5 and later.

Risk and Exploitability

The CVSS score of 5.5 indicates moderate severity. The EPSS score of <1% and the fact that the vulnerability is not listed in CISA’s KEV catalog suggest limited exploitation to date. Exploitation requires an administrator who is logged into the nginx‑UI to visit a malicious page; the attacker only needs to serve a crafted web page, making it a client‑side attack that can be launched from any network reachable by the victim’s browser. The absence of HttpOnly or SameSite attributes in the authentication cookie further lowers the barrier to exploitation, but the overall risk remains moderate until the fix is applied.

Generated by OpenCVE AI on April 22, 2026 at 03:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update nginx‑UI to version 2.3.5 or later to apply the origin‑validation patch.
  • Ensure administrators do not remain logged in while browsing untrusted sites; impose session timeouts or enforce a policy that requires re‑authentication before accessing high‑privilege functions.
  • If an immediate upgrade is not feasible, place a reverse‑proxy or web‑garden in front of nginx‑UI that validates the Origin header for WebSocket connections, adding an extra layer of enforcement until the upstream application can be updated.

Generated by OpenCVE AI on April 22, 2026 at 03:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-78mf-482w-62qj Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
History

Wed, 22 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.
Title Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
Weaknesses CWE-1385
References
Metrics cvssV4_0

{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:36:46.510Z

Reserved: 2026-03-27T13:45:29.620Z

Link: CVE-2026-34403

cve-icon Vulnrichment

Updated: 2026-04-21T13:36:39.685Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T21:16:36.267

Modified: 2026-04-22T17:35:42.613

Link: CVE-2026-34403

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T03:30:06Z

Weaknesses