CVE-2026-33031
JWT Token Reuse Allows Persistent Access in Nginx UI
Publication date: 2026-04-20
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | to 2.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-863 | The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.4. When an administrator disables a user, the previously issued API tokens for that user remain valid until their token lifetime expires. This means that even after disabling a compromised account, the attacker who stole the JWT (JSON Web Token) can continue to access and modify protected resources. Additionally, since these tokens can be used to create new accounts, the disabled user can maintain privileges despite being disabled.
How can this vulnerability impact me? :
The vulnerability allows an attacker who has stolen a JWT from a disabled user to continue accessing and modifying protected resources without interruption. This can lead to unauthorized data access, data modification, and potentially the creation of new accounts with elevated privileges, undermining the security controls intended to restrict access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade Nginx UI to version 2.3.4 or later, where the issue is patched.
Since disabling a user does not revoke previously issued API tokens, it is important to invalidate or revoke all existing tokens associated with disabled accounts to prevent continued access.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows a disabled user to continue accessing and modifying protected resources using previously issued API tokens, which means that access control measures are effectively bypassed.
Such unauthorized continued access could lead to violations of compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict control over user access and protection of sensitive data.
Specifically, failure to revoke access promptly after disabling a user may result in unauthorized data exposure or modification, undermining data protection and privacy obligations.