Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionGitHub Advisory
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.
AnalysisAI
nginx-ui before version 2.3.5 allows Cross-Site WebSocket Hijacking (CSWSH) attacks due to improper WebSocket origin validation and insecurely configured authentication cookies. An attacker can trick a logged-in administrator into visiting a malicious webpage that establishes authenticated WebSocket connections to the target nginx-ui instance, enabling information disclosure and administrative actions without explicit user consent. Version 2.3.5 patches the issue; no public exploit code or active exploitation confirmed at time of analysis.
Technical ContextAI
nginx-ui implements WebSocket endpoints using the gorilla/websocket library's Upgrader mechanism with CheckOrigin unconditionally returning true, disabling the standard same-origin policy enforcement for WebSocket connections. Authentication tokens are stored in browser cookies set via JavaScript without the HttpOnly flag (which prevents JavaScript access) or explicit SameSite attributes (which restrict cross-site cookie transmission). This combination violates WebSocket security best practices: CSWSH attacks rely on Cross-Origin Resource Sharing (CORS) bypass combined with automatic cookie inclusion in cross-origin requests. CWE-1385 (Improper Origin Validation in WebSockets) directly describes this root cause - the application fails to validate the Origin header before upgrading HTTP connections to WebSocket, allowing any website to initiate authenticated WebSocket sessions on behalf of the user's browser.
RemediationAI
Upgrade nginx-ui to version 2.3.5 or later, which patches the CheckOrigin validation and corrects cookie configuration. If immediate upgrade is not possible, implement the following compensating controls: (1) Configure WebSocket endpoints to explicitly validate the Origin header against a whitelist of trusted domains, rejecting requests with mismatched origins - this prevents CSWSH but requires identifying all legitimate client origins; (2) Manually set authentication cookies with the HttpOnly flag to prevent JavaScript access and with SameSite=Strict (or Lax) to restrict cross-site transmission - depending on your JavaScript framework, this may require modifying the authentication handler and testing application functionality; (3) Use network-level protections such as IP allowlisting for nginx-ui administrative access to reduce exposure to cross-site attacks; (4) Implement Content-Security-Policy (CSP) headers to restrict JavaScript execution in the nginx-ui interface, limiting the window for attackers to inject malicious code. These mitigations partially reduce risk but do not fully address the root cause; patching to v2.3.5 is the primary remediation.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-1385 – Missing Origin Validation in WebSockets
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23972
GHSA-78mf-482w-62qj