Is Nginx affected by EUVD-2026-23965?

Nginx UI versions before 2.3.4 contain an authentication bypass vulnerability where disabled user accounts retain full API access through unexpired JWT tokens, allowing attackers with stolen credentials to maintain persistent administrative control and create new accounts even after account…

Nginx EUVD-2026-23965

| CVE-2026-33031 HIGH

Improper Access Control (CWE-284)

2026-04-20 GitHub_M

GHSA-x234-x5vq-cc2v

Authentication Bypass Nginx

8.6

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 21, 2026 - 16:22 vuln.today

cvss_changed

Patch available

Apr 20, 2026 - 22:31 EUVD

Analysis Generated

Apr 20, 2026 - 21:44 vuln.today

CVSS changed

Apr 20, 2026 - 21:22 NVD

8.6 (HIGH)

DescriptionNVD

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.

AnalysisAI

Disabled user accounts in Nginx UI versions before 2.3.4 retain full API access through previously issued JWT tokens for the entire token lifetime, allowing attackers with stolen credentials to maintain persistent access and create new accounts even after administrative remediation attempts. This authentication bypass enables continued confidentiality and integrity compromise of Nginx configurations despite account lockout. …

RemediationAI

Within 24 hours: Inventory all Nginx UI deployments and document current versions; disable or revoke all existing JWT tokens via administrative interfaces if available, and audit access logs for suspicious API calls from disabled accounts. Within 7 days: Upgrade to Nginx UI version 2.3.4 or later; implement network-level API access restrictions to administrative APIs; conduct credential audit and force password resets for all administrative accounts. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-23965 vulnerability details – vuln.today

Back

Nginx EUVD-2026-23965

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

Nginx EUVD-2026-23965

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code