QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2026-33031

Back to search

CVE-2026-33031

Published: Apr 20, 2026

Modified: Apr 21, 2026

PUBLISHED

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.

VendorProductVersions

0xJacky

nginx-ui

affected
< 2.3.4

Weaknesses (CWE)

CWE-284
CWE-863

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now