EUVD-2026-23965
GHSA-x234-x5vq-cc2v
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionNVD
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
AnalysisAI
Disabled user accounts in Nginx UI versions before 2.3.4 retain full API access through previously issued JWT tokens for the entire token lifetime, allowing attackers with stolen credentials to maintain persistent access and create new accounts even after administrative remediation attempts. This authentication bypass enables continued confidentiality and integrity compromise of Nginx configurations despite account lockout. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
Within 24 hours: Inventory all Nginx UI deployments and document current versions; disable or revoke all existing JWT tokens via administrative interfaces if available, and audit access logs for suspicious API calls from disabled accounts. Within 7 days: Upgrade to Nginx UI version 2.3.4 or later; implement network-level API access restrictions to administrative APIs; conduct credential audit and force password resets for all administrative accounts. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today