Skip to main content

Nginx CVE-2026-34403

| EUVDEUVD-2026-23972 MEDIUM
Missing Origin Validation in WebSockets (CWE-1385)
2026-04-20 GitHub_M GHSA-78mf-482w-62qj
5.5
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

7
Patch released
Apr 22, 2026 - 17:35 nvd
Patch available
Patch available
Apr 20, 2026 - 22:31 EUVD
Analysis Generated
Apr 20, 2026 - 21:44 vuln.today
CVSS changed
Apr 20, 2026 - 21:22 NVD
5.5 (MEDIUM)
EUVD ID Assigned
Apr 20, 2026 - 21:15 euvd
EUVD-2026-23972
Analysis Generated
Apr 20, 2026 - 21:15 vuln.today
CVE Published
Apr 20, 2026 - 20:16 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.

AnalysisAI

nginx-ui before version 2.3.5 allows Cross-Site WebSocket Hijacking (CSWSH) attacks due to improper WebSocket origin validation and insecurely configured authentication cookies. An attacker can trick a logged-in administrator into visiting a malicious webpage that establishes authenticated WebSocket connections to the target nginx-ui instance, enabling information disclosure and administrative actions without explicit user consent. Version 2.3.5 patches the issue; no public exploit code or active exploitation confirmed at time of analysis.

Technical ContextAI

nginx-ui implements WebSocket endpoints using the gorilla/websocket library's Upgrader mechanism with CheckOrigin unconditionally returning true, disabling the standard same-origin policy enforcement for WebSocket connections. Authentication tokens are stored in browser cookies set via JavaScript without the HttpOnly flag (which prevents JavaScript access) or explicit SameSite attributes (which restrict cross-site cookie transmission). This combination violates WebSocket security best practices: CSWSH attacks rely on Cross-Origin Resource Sharing (CORS) bypass combined with automatic cookie inclusion in cross-origin requests. CWE-1385 (Improper Origin Validation in WebSockets) directly describes this root cause - the application fails to validate the Origin header before upgrading HTTP connections to WebSocket, allowing any website to initiate authenticated WebSocket sessions on behalf of the user's browser.

RemediationAI

Upgrade nginx-ui to version 2.3.5 or later, which patches the CheckOrigin validation and corrects cookie configuration. If immediate upgrade is not possible, implement the following compensating controls: (1) Configure WebSocket endpoints to explicitly validate the Origin header against a whitelist of trusted domains, rejecting requests with mismatched origins - this prevents CSWSH but requires identifying all legitimate client origins; (2) Manually set authentication cookies with the HttpOnly flag to prevent JavaScript access and with SameSite=Strict (or Lax) to restrict cross-site transmission - depending on your JavaScript framework, this may require modifying the authentication handler and testing application functionality; (3) Use network-level protections such as IP allowlisting for nginx-ui administrative access to reduce exposure to cross-site attacks; (4) Implement Content-Security-Policy (CSP) headers to restrict JavaScript execution in the nginx-ui interface, limiting the window for attackers to inject malicious code. These mitigations partially reduce risk but do not fully address the root cause; patching to v2.3.5 is the primary remediation.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-34403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy