Home / Vulnerability Intelligence / CVE-2026-33031

CVE-2026-33031 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: April 22, 2026

Nginx UI - Broken Access Control

Published: April 20, 2026Updated: April 22, 2026PoC AvailableRemote Exploitable

Overview

Nginx UI < 2.3.4 contains a broken access control vulnerability caused by continued acceptance of API tokens from disabled users, letting attackers with stolen JWTs read and modify protected resources, exploit requires stolen JWT tokens.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers with stolen JWT tokens can maintain access to protected resources and create new accounts despite user disablement.

Mitigation

Upgrade to version 2.3.4 or later.

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33031
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: confirmed

CWE

CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N