Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionGitHub Advisory
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.
AnalysisAI
Disabled user accounts in Nginx UI versions before 2.3.4 retain full API access through previously issued JWT tokens for the entire token lifetime, allowing attackers with stolen credentials to maintain persistent access and create new accounts even after administrative remediation attempts. This authentication bypass enables continued confidentiality and integrity compromise of Nginx configurations despite account lockout. Reported by GitHub security advisories; no evidence of active exploitation (not in CISA KEV), but the token-reuse mechanism makes exploitation straightforward for attackers who have already obtained credentials.
Technical ContextAI
Nginx UI (0xJacky/nginx-ui) is a web-based management interface for the Nginx web server, providing administrative functions through a REST API authenticated via JSON Web Tokens (JWT). The vulnerability stems from improper privilege management (CWE-284) where the token validation mechanism checks only token signature and expiration, failing to verify the current account status against the user database. When an administrator disables a user account, the authorization system does not invalidate existing tokens or cross-reference the disabled status during subsequent API requests. JWTs are stateless by design, meaning the token itself contains the authorization claims, and without server-side session tracking or token revocation lists, disabled accounts remain functionally active until token expiration. The CVSS:4.0 vector (AV:N/AC:L/PR:L/VC:H/VI:H) confirms network-accessible exploitation with low complexity requiring only low privileges (a previously authenticated user), resulting in high confidentiality and integrity impact to the vulnerable system.
RemediationAI
Upgrade Nginx UI to version 2.3.4 immediately, as documented in the GitHub security advisory GHSA-x234-x5vq-cc2v at https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v. The patched version implements proper token invalidation upon account disablement. After upgrading, force-expire all existing JWT tokens by rotating the signing secret in Nginx UI configuration, which immediately invalidates all previously issued tokens and requires users to reauthenticate. If immediate patching is not feasible, implement network-level access controls restricting Nginx UI API endpoints to trusted management networks only, and configure shortest practical token lifetime (reducing the window of post-disablement access). Monitor API access logs for activity from recently disabled accounts as an indicator of compromise. Note that network restrictions reduce attack surface but do not eliminate risk if attackers have already gained access to the management network. Token lifetime reduction trades operational convenience for reduced exposure window.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23965
GHSA-x234-x5vq-cc2v