CVE-2026-33030
Published: 30 March 2026
Summary
CVE-2026-33030 is a high-severity OS Command Injection (CWE-78) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 12.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-25 (Reference Monitor).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-3 mandates enforcement of approved authorizations for logical access to resources, directly addressing the lack of user ownership verification in Nginx UI resource endpoints.
AC-24 requires explicit authorization decisions for access to system resources by specific users or roles, preventing authenticated users from bypassing ownership checks via IDOR.
AC-25 implements a reference monitor to mediate all resource accesses according to access control policies, comprehensively mitigating the authorization bypass in multi-user environments.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
IDOR/authz bypass allows low-priv authenticated user to access/modify/delete arbitrary resources belonging to others, directly enabling local privilege escalation (T1068) in multi-user setups.
NVD Description
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other…
more
users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Deeper analysisAI
CVE-2026-33030 is an Insecure Direct Object Reference (IDOR) vulnerability in Nginx UI, a web user interface for the Nginx web server. It affects versions 2.3.3 and prior. The issue stems from the application's base Model struct lacking a user_id field, causing all resource endpoints to query by ID without verifying user ownership. This results in a complete authorization bypass in multi-user environments, with a CVSS v3.1 base score of 8.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) and associated CWEs CWE-78 and CWE-639.
Any low-privileged authenticated user can exploit this vulnerability locally with low complexity and no user interaction required. Attackers can access, modify, and delete resources belonging to other users, potentially compromising confidentiality, integrity, and availability across the scoped components in multi-user setups.
The GitHub security advisory (GHSA-5hf2-vhj6-gj9m) confirms that, at the time of publication on 2026-03-30, no publicly available patches exist for this vulnerability.
Details
- CWE(s)