CVE-2026-33031— Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-33031
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Nginx-UI: Disabled users retain full API access through previously issued bearer tokens
Source: NVD (National Vulnerability Database)
Vulnerability Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
访问控制不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
Nginx UI 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Nginx UI是Jacky个人开发者的一个 Nginx 的 WebUI。 Nginx UI 2.3.4之前版本存在安全漏洞,该漏洞源于禁用用户仍可使用先前颁发的API令牌,可能导致攻击者在账户被禁用后继续访问受保护资源。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-33031
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-33031
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same product: nginx-ui
- CVE-2026-42238
Unauthenticated Remote Code Execution via Backup Restore in - CVE-2026-42223
nginx-ui: Settings API Exposes Protected Secrets - CVE-2026-42222
nginx-ui: Unauthenticated first-boot instance claim via POST - CVE-2026-42221
nginx-ui: Unauthenticated First-Run Installer Allows Remote - CVE-2026-42220
nginx-ui: Authenticated settings disclosure exposes node.sec
Same vendor: 0xJacky
- CVE-2026-42238
Unauthenticated Remote Code Execution via Backup Restore in - CVE-2026-42223
nginx-ui: Settings API Exposes Protected Secrets - CVE-2026-42222
nginx-ui: Unauthenticated first-boot instance claim via POST - CVE-2026-42221
nginx-ui: Unauthenticated First-Run Installer Allows Remote - CVE-2026-42220
nginx-ui: Authenticated settings disclosure exposes node.sec
Same weakness: CWE-284
- CVE-2026-8233
Dotouch XproUPF access control - CVE-2026-42569
phpvms: /importer authorization bypass causing full database - CVE-2026-42205
Avo: Broken Access Control: Unauthorized Execution of Arbitr - CVE-2026-41487
Langfuse: Improper role-based-access control in Langfuse LLM - CVE-2026-42278
UltraDAG: Smart Account Spending Policy Bypass via Pockets
V. Comments for CVE-2026-33031
No comments yet