CVE-2026-33031
Received Received - Intake
JWT Token Reuse Allows Persistent Access in Nginx UI

Publication date: 2026-04-20

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-33031
EUVD
EUVD-2026-23965
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects the Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.4. When an administrator disables a user, the previously issued API tokens for that user remain valid until their token lifetime expires. This means that even after disabling a compromised account, the attacker who stole the JWT (JSON Web Token) can continue to access and modify protected resources. Additionally, since these tokens can be used to create new accounts, the disabled user can maintain privileges despite being disabled.

Impact Analysis

The vulnerability allows an attacker who has stolen a JWT from a disabled user to continue accessing and modifying protected resources without interruption. This can lead to unauthorized data access, data modification, and potentially the creation of new accounts with elevated privileges, undermining the security controls intended to restrict access.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Nginx UI to version 2.3.4 or later, where the issue is patched.

Since disabling a user does not revoke previously issued API tokens, it is important to invalidate or revoke all existing tokens associated with disabled accounts to prevent continued access.

Compliance Impact

This vulnerability allows a disabled user to continue accessing and modifying protected resources using previously issued API tokens, which means that access control measures are effectively bypassed.

Such unauthorized continued access could lead to violations of compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict control over user access and protection of sensitive data.

Specifically, failure to revoke access promptly after disabling a user may result in unauthorized data exposure or modification, undermining data protection and privacy obligations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33031. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart