EXECUTIVE SUMMARY:
Both flaws affect Nginx UI, a web interface for managing Nginx servers, and impact authentication and communication security. The first vulnerability allows Cross-Site WebSocket Hijacking due to missing origin validation, enabling attackers to hijack authenticated sessions when an administrator visits a malicious page. The second vulnerability exposes a serious authorization bypass issue, where disabled users can continue accessing the system using previously issued API tokens, effectively bypassing account deactivation controls. Together, these flaws demonstrate weaknesses in session handling, token validation, and WebSocket security, potentially allowing unauthorized access, data manipulation, and persistent access within affected systems if not patched promptly. CVE-2026-34403 with a CVSS score of 8.6 - It is an vulnerability allows Cross-Site WebSocket Hijacking (CSWSH) due to missing origin validation on all WebSocket endpoints. A malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. This enables attackers to read sensitive configuration, leak performance metrics and information, and execute state-changing actions. CVE-2026-33031 with a CVSS score of 8.6 - It is an authorization flaw in Nginx UI prior to version where disabled users can continue using previously issued JWT/API tokens until token expiry. This may allow continued unauthorized access, account persistence, and administrative misuse.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
Both flaws affect Nginx UI, a web interface for managing Nginx servers, and impact authentication and communication security. The first vulnerability allows Cross-Site WebSocket Hijacking due to missing origin validation, enabling attackers to hijack authenticated sessions when an administrator visits a malicious page. The second vulnerability exposes a serious authorization bypass issue, where disabled users can continue accessing the system using previously issued API tokens, effectively bypassing account deactivation controls. Together, these flaws demonstrate weaknesses in session handling, token validation, and WebSocket security, potentially allowing unauthorized access, data manipulation, and persistent access within affected systems if not patched promptly. CVE-2026-34403 with a CVSS score of 8.6 - It is an vulnerability allows Cross-Site WebSocket Hijacking (CSWSH) due to missing origin validation on all WebSocket endpoints. A malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. This enables attackers to read sensitive configuration, leak performance metrics and information, and execute state-changing actions. CVE-2026-33031 with a CVSS score of 8.6 - It is an authorization flaw in Nginx UI prior to version where disabled users can continue using previously issued JWT/API tokens until token expiry. This may allow continued unauthorized access, account persistence, and administrative misuse.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update Nginx-UI to below version: CVE-2026-34403: https://github.com/advisories/GHSA-78mf-482w-62qj CVE-2026-33031: https://github.com/advisories/GHSA-x234-x5vq-cc2v
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-78mf-482w-62qj
https://github.com/advisories/GHSA-x234-x5vq-cc2v