CVE-2026-34403
Published: 20 April 2026
Summary
CVE-2026-34403 is a high-severity Missing Origin Validation in WebSockets (CWE-1385) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates secure configuration settings for WebSocket origin validation and authentication cookies with HttpOnly and SameSite attributes to prevent cross-site WebSocket hijacking.
Requires validation of Origin headers during WebSocket upgrades to block connections from untrusted cross-site origins, directly addressing the unconditional CheckOrigin flaw.
Ensures proper management and protection of authentication tokens in cookies to mitigate cross-site access by requiring secure storage attributes like HttpOnly and SameSite.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CSWSH vulnerability in the public-facing Nginx UI web application directly enables exploitation of the app to perform unauthorized admin actions via hijacked authenticated WebSocket sessions.
NVD Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that…
more
authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.
Deeper analysisAI
CVE-2026-34403 is a Cross-Site WebSocket Hijacking (CSWSH) vulnerability, tracked under CWE-1385, affecting Nginx UI, a web user interface for the Nginx web server. In versions prior to 2.3.5, all WebSocket endpoints utilize a gorilla/websocket Upgrader where the CheckOrigin function unconditionally returns true, bypassing origin validation. This issue is exacerbated by authentication tokens stored in browser cookies set via JavaScript, lacking HttpOnly or explicit SameSite attributes, enabling cross-site access to these tokens. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).
An attacker can exploit this vulnerability by luring a logged-in administrator to visit an attacker-controlled webpage. The malicious page can then establish authenticated WebSocket connections to the nginx-ui instance, leveraging the victim's cookies for authentication. This allows the attacker to perform actions on behalf of the administrator over the hijacked WebSocket, potentially compromising confidentiality and integrity of the nginx-ui configuration and related Nginx server management.
The GitHub security advisory (GHSA-78mf-482w-62qj) and release notes for version 2.3.5 detail the patch, which addresses the CheckOrigin misconfiguration and cookie handling deficiencies. Security practitioners should upgrade to nginx-ui version 2.3.5 or later to mitigate the issue, and review WebSocket implementations for similar origin validation flaws.
Details
- CWE(s)