CVE-2026-33031
Published: 20 April 2026
Summary
CVE-2026-33031 is a high-severity Improper Access Control (CWE-284) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
IA-5 requires disabling authenticators such as API tokens when associated accounts are disabled, directly preventing continued access with stolen JWTs.
AC-2 mandates proper account management including disabling accounts and revoking access, addressing the failure to terminate user privileges upon administrative disablement.
AC-3 enforces access control policies that validate current account status during token authentication, blocking unauthorized read/write access by disabled users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Public-facing web UI vuln enables token abuse after disable (T1550.001) and new account creation for persistence (T1136.001); initial exploitation targets exposed app (T1190).
NVD Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a…
more
compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
Deeper analysisAI
CVE-2026-33031 affects Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.4. The vulnerability stems from improper access control where a user disabled by an administrator can still use previously issued API tokens, such as JWTs, for their full lifetime. This fails to revoke access upon account disablement, allowing continued reading and modification of protected resources even after the account is marked inactive. The issue carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-284 (Improper Access Control) and CWE-863 (Incorrect Authorization).
An attacker with low privileges who compromises a legitimate user's account and steals a valid JWT can exploit this remotely over the network with low complexity and no user interaction. After the administrator disables the compromised account, the attacker retains the token's permissions to access confidential data and alter protected resources. Since these tokens can be used to create new accounts, the attacker can further maintain persistence by generating additional accounts with elevated privileges.
The GitHub security advisory (GHSA-x234-x5vq-cc2v) at https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v documents the flaw, confirming that Nginx UI version 2.3.4 resolves it by implementing proper token revocation or validation checks for disabled users.
Details
- CWE(s)