CVE-2026-33031
Received Received - Intake

JWT Token Reuse Allows Persistent Access in Nginx UI

Vulnerability report for CVE-2026-33031, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-20

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-20
Last Modified
2026-04-22
Generated
2026-07-06
AI Q&A
2026-04-21
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects the Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.4. When an administrator disables a user, the previously issued API tokens for that user remain valid until their token lifetime expires. This means that even after disabling a compromised account, the attacker who stole the JWT (JSON Web Token) can continue to access and modify protected resources. Additionally, since these tokens can be used to create new accounts, the disabled user can maintain privileges despite being disabled.

Impact Analysis

The vulnerability allows an attacker who has stolen a JWT from a disabled user to continue accessing and modifying protected resources without interruption. This can lead to unauthorized data access, data modification, and potentially the creation of new accounts with elevated privileges, undermining the security controls intended to restrict access.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade Nginx UI to version 2.3.4 or later, where the issue is patched.

Since disabling a user does not revoke previously issued API tokens, it is important to invalidate or revoke all existing tokens associated with disabled accounts to prevent continued access.

Compliance Impact

This vulnerability allows a disabled user to continue accessing and modifying protected resources using previously issued API tokens, which means that access control measures are effectively bypassed.

Such unauthorized continued access could lead to violations of compliance requirements in standards and regulations like GDPR and HIPAA, which mandate strict control over user access and protection of sensitive data.

Specifically, failure to revoke access promptly after disabling a user may result in unauthorized data exposure or modification, undermining data protection and privacy obligations.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33031. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart