CVE-2026-33031 HIGH

CVE-2026-33031: Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

Vendor 0Xjacky

Product nginx-ui

Weakness CWE-284

Published April 20, 2026

Last update April 21, 2026

View on NVD All CVEs

CVSS base score

8.6/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.

Key dates

Disclosure timeline

April 20, 2026 CVE published

April 21, 2026 Record updated