Auth bypass in 0xjacky Nginx-ui
CVE-2026-33031
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account…
EPSS: 0.000 (11.8th percentile) — read the EPSS interpretation.
Affected products
- 0xjacky Nginx-ui — versions < 2.3.4
Weakness classification (CWE)
References
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v (x_refsource_CONFIRM)