CVE-2026-34403
Received Received - Intake
Cross-Site WebSocket Hijacking in Nginx-UI Prior to

Publication date: 2026-04-20

Last updated on: 2026-04-22

Assigner: GitHub, Inc.

Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-22
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34403
EUVD
EUVD-2026-23972
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1385 The product uses a WebSocket, but it does not properly verify that the source of data or communication is valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows Cross-Site WebSocket Hijacking (CSWSH) due to improper origin checks and insecure handling of authentication tokens in browser cookies. This can lead to unauthorized access to the nginx-ui instance by malicious webpages when an administrator is logged in.

Such unauthorized access and potential data exposure could negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure authentication mechanisms.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Executive Summary

This vulnerability affects the Nginx UI web user interface for the Nginx web server prior to version 2.3.5. The issue arises because all WebSocket endpoints use a gorilla/websocket Upgrader with a CheckOrigin function that always returns true, which allows Cross-Site WebSocket Hijacking (CSWSH).

Additionally, authentication tokens are stored in browser cookies that are set via JavaScript without the HttpOnly or explicit SameSite attributes. This combination means that a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance if a logged-in administrator visits the attacker-controlled page.

The vulnerability was fixed in version 2.3.5 of nginx-ui.

Impact Analysis

This vulnerability can allow an attacker to hijack authenticated WebSocket connections to the nginx-ui instance by tricking a logged-in administrator into visiting a malicious webpage.

As a result, the attacker could potentially perform unauthorized actions within the nginx-ui interface with the privileges of the administrator, leading to compromise of the web server's management interface.

Mitigation Strategies

To mitigate this vulnerability, upgrade nginx-ui to version 2.3.5 or later, where the issue has been patched.

Additionally, consider securing authentication tokens by setting HttpOnly and explicit SameSite attributes on cookies to prevent unauthorized access via malicious webpages.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34403. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart