Vulnerability-Lookup

CVE-2026-33030 (GCVE-0-2026-33030)

Vulnerability from cvelistv5 – Published: 2026-03-30 17:58 – Updated: 2026-03-31 19:09

Title

Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys

Summary

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-639 - Authorization Bypass Through User-Controlled Key

Assigner

GitHub_M

References

URL

Tags

https://github.com/0xJacky/nginx-ui/security/advi…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	0xJacky	nginx-ui	Affected: <= 2.3.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-33030",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-31T18:39:20.785778Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-31T19:09:45.914Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "nginx-ui",
          "vendor": "0xJacky",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.3.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application\u0027s base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-639",
              "description": "CWE-639: Authorization Bypass Through User-Controlled Key",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-30T17:58:54.381Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"
        }
      ],
      "source": {
        "advisory": "GHSA-5hf2-vhj6-gj9m",
        "discovery": "UNKNOWN"
      },
      "title": "Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-33030",
    "datePublished": "2026-03-30T17:58:54.381Z",
    "dateReserved": "2026-03-17T17:22:14.669Z",
    "dateUpdated": "2026-03-31T19:09:45.914Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-33030\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-30T18:16:19.243\",\"lastModified\":\"2026-04-01T18:21:15.343\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application\u0027s base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.\"},{\"lang\":\"es\",\"value\":\"Nginx UI es una interfaz de usuario web para el servidor web Nginx. En las versiones 2.3.3 y anteriores, Nginx-UI contiene una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) que permite a cualquier usuario autenticado acceder, modificar y eliminar recursos pertenecientes a otros usuarios. La estructura base Model de la aplicaci\u00f3n carece de un campo user_id, y todos los puntos finales de recursos realizan consultas por ID sin verificar la propiedad del usuario, lo que permite una omisi\u00f3n completa de la autorizaci\u00f3n en entornos multiusuario. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.0,\"impactScore\":6.0},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\",\"baseScore\":9.9,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.1,\"impactScore\":6.0}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"},{\"lang\":\"en\",\"value\":\"CWE-639\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.3.3\",\"matchCriteriaId\":\"FD639632-5708-446A-80D7-4A289528D221\"}]}]}],\"references\":[{\"url\":\"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"cna\": {\"title\": \"Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys\", \"source\": {\"advisory\": \"GHSA-5hf2-vhj6-gj9m\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"CHANGED\", \"version\": \"3.1\", \"baseScore\": 8.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"0xJacky\", \"product\": \"nginx-ui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.3.3\"}]}], \"references\": [{\"url\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m\", \"name\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m\", \"tags\": [\"x_refsource_CONFIRM\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application\u0027s base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}, {\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-639\", \"description\": \"CWE-639: Authorization Bypass Through User-Controlled Key\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-30T17:58:54.381Z\"}}, \"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33030\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-31T18:39:20.785778Z\"}}}], \"references\": [{\"url\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"shortName\": \"CISA-ADP\", \"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"dateUpdated\": \"2026-03-31T19:07:31.225Z\"}}]}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-33030\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-30T17:58:54.381Z\", \"dateReserved\": \"2026-03-17T17:22:14.669Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-30T17:58:54.381Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-5HF2-VHJ6-GJ9M

Vulnerability from github – Published: 2026-03-30 16:41 – Updated: 2026-03-30 21:26

Summary

nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys

Details

Summary

Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.

Severity

High - CVSS 3.1 Score: 8.8 (High)

Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Note: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immediate credential theft without decryption.

Product

nginx-ui

Affected Versions

All versions up to and including v2.3.3

CWE

CWE-639: Authorization Bypass Through User-Controlled Key

Description

Exposed DNS Provider Credentials

The dns.Config structure (internal/cert/dns/config_env.go) contains API credentials:

type Configuration struct {
    Credentials map[string]string `json:"credentials"`  // API tokens here
    Additional  map[string]string `json:"additional"`
}

Provider	Credential Fields	Impact if Leaked
Cloudflare	`CF_API_TOKEN`	Full DNS zone control
Alibaba Cloud DNS	`ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY`	Full DNS control + potential IAM access
Tencent Cloud DNS	`TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY`	Full DNS control
AWS Route53	`AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`	Route53 + potential AWS access
GoDaddy	`GODADDY_API_KEY`, `GODADDY_API_SECRET`	DNS record modification

Combined Attack: IDOR + Plaintext Storage

When the IDOR vulnerability is combined with plaintext storage, attackers can directly extract API tokens from other users' resources:

Attack Chain:
┌─────────────────────────────────────────────────────────────────┐
│ 1. Attacker authenticates with low-privilege account            │
│ 2. Uses IDOR to enumerate: /api/dns_credentials/1,2,3...      │
│ 3. Reads plaintext API tokens directly from HTTP response       │
│ 4. No decryption needed - tokens stored in cleartext            │
│ 5. Uses stolen tokens to:                                       │
│    - Modify DNS records (domain hijacking)                      │
│    - Issue fraudulent SSL certificates                          │
│    - Pivot to cloud infrastructure                              │
└─────────────────────────────────────────────────────────────────┘

PoC: Extracting Plaintext Credentials via IDOR

# Attacker with low-privilege token accessing admin's DNS credential
curl -H "Authorization: $ATTACKER_TOKEN" \
     https://nginx-ui.example.com/api/dns_credentials/1

# Response contains PLAINTEXT API token (no decryption required):
{
    "id": 1,
    "name": "Production Cloudflare",
    "provider": "cloudflare",
    "config": {
        "credentials": {
            "CF_API_TOKEN": "yhyQ7xR...plaintext_token_visible..."
        }
    }
}

Updated CVSS Score with Plaintext Storage

The plaintext storage increases the confidentiality impact:

CVSS 3.1 Score: 8.8 (High)

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Scope Changed (S:C): Impact extends to external services (DNS providers, cloud platforms)
High Confidentiality (C:H): Plaintext API tokens immediately usable
High Integrity (I:H): DNS records, certificates can be modified
High Availability (A:H): Services can be disrupted via DNS/certificate manipulation

Attack Scenario: Certificate Hijacking

1. Attacker creates low-privilege account on nginx-ui
2. Uses IDOR to enumerate all DNS credentials: /api/dns_credentials/1,2,3...
3. Steals Cloudflare API token from admin's credential
4. Uses token to:
   - Modify DNS records
   - Issue fraudulent Let's Encrypt certificates
   - Intercept traffic to victim domains

Credit

Discovered by security researcher during authorized security audit.

Recommendation

Immediate Mitigation

Add User Ownership to Models

// model/model.go
type Model struct {
    ID        uint64          `gorm:"primary_key" json:"id"`
    UserID    uint64          `gorm:"index" json:"user_id"`  // Add this field
    CreatedAt time.Time       `json:"created_at"`
    UpdatedAt time.Time       `json:"updated_at"`
    DeletedAt *gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
}

Filter Queries by Current User

// api/certificate/dns_credential.go
func GetDnsCredential(c *gin.Context) {
    id := cast.ToUint64(c.Param("id"))
    currentUser := c.MustGet("user").(*model.User)

    d := query.DnsCredential
    dnsCredential, err := d.Where(
        d.ID.Eq(id),
        d.UserID.Eq(currentUser.ID),  // Add user filter
    ).First()

    if err != nil {
        cosy.ErrHandler(c, err)
        return
    }
    // ...
}

Add Authorization Middleware

// middleware/authorization.go
func RequireOwnership(resourceType string) gin.HandlerFunc {
    return func(c *gin.Context) {
        currentUser := c.MustGet("user").(*model.User)
        resourceID := cast.ToUint64(c.Param("id"))

        // Check if resource belongs to current user
        ownerID, err := getResourceOwner(resourceType, resourceID)
        if err != nil || ownerID != currentUser.ID {
            c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
                "message": "Access denied",
            })
            return
        }
        c.Next()
    }
}

Database Migration

-- Add user_id column to all resource tables
ALTER TABLE dns_credentials ADD COLUMN user_id BIGINT;
ALTER TABLE certs ADD COLUMN user_id BIGINT;
ALTER TABLE acme_users ADD COLUMN user_id BIGINT;
ALTER TABLE sites ADD COLUMN user_id BIGINT;
ALTER TABLE streams ADD COLUMN user_id BIGINT;
ALTER TABLE configs ADD COLUMN user_id BIGINT;

-- Set default owner for existing resources
UPDATE dns_credentials SET user_id = 1 WHERE user_id IS NULL;
UPDATE certs SET user_id = 1 WHERE user_id IS NULL;

-- Add foreign key constraint
ALTER TABLE dns_credentials ADD CONSTRAINT fk_dns_credentials_user
    FOREIGN KEY (user_id) REFERENCES users(id);

Long-term Improvements

Implement role-based access control (RBAC)
Add audit logging for resource access
Implement resource sharing functionality with explicit permissions
Add integration tests for authorization checks

Remediation for Plaintext Storage

Immediate Fix: Encrypt Sensitive Fields

Apply the same serializer:json[aes] pattern used for S3 credentials to DNS and ACME data:

model/dns_credential.go:

type DnsCredential struct {
    Model
    Name         string      `json:"name"`
    Config       *dns.Config `json:"config,omitempty" gorm:"serializer:json[aes]"` // Add AES encryption
    Provider     string      `json:"provider"`
    ProviderCode string      `json:"provider_code" gorm:"index"`
}

model/acme_user.go:

type AcmeUser struct {
    Model
    // ...
    Key PrivateKey `json:"-" gorm:"serializer:json[aes]"` // Add AES encryption
    // ...
}

Data Migration

Existing plaintext data must be re-saved to trigger encryption:

func MigrateSensitiveData() error {
    // Migrate DNS credentials
    var dnsCreds []model.DnsCredential
    query.DnsCredential.Find(&dnsCreds)
    for _, cred := range dnsCreds {
        query.DnsCredential.Save(&cred) // Re-save triggers AES encryption
    }

    // Migrate ACME users
    var acmeUsers []model.AcmeUser
    query.AcmeUser.Find(&acmeUsers)
    for _, user := range acmeUsers {
        query.AcmeUser.Save(&user)
    }

    return nil
}

Summary of Required Changes

File	Line	Current	Fix
`model/dns_credential.go`	7	`serializer:json`	`serializer:json[aes]`
`model/acme_user.go`	Key field	`serializer:json`	`serializer:json[aes]`

References

Disclosure Timeline

2026-03-13: Vulnerability discovered through source code audit
2026-03-13: Vulnerability successfully reproduced in local Docker environment
2026-03-13: All IDOR operations verified: READ, MODIFY, DELETE
2026-03-13: Security advisory prepared
[Pending]: Report submitted to nginx-ui maintainers
[Pending]: CVE ID requested
[Pending]: Patch developed and tested
[Pending]: Public disclosure (21-90 days after vendor notification)

Severity ?

8.8 (High)


                  
                    CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/0xJacky/nginx-ui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.99"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33030"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639",
      "CWE-78"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-30T16:41:07Z",
    "nvd_published_at": "2026-03-30T18:16:19Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\nNginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application\u0027s base `Model` struct lacks a `user_id` field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.\n\n## Severity\n\n**High** - CVSS 3.1 Score: **8.8 (High)**\n\nVector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`\n\n**Note**: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immediate credential theft without decryption.\n\n## Product\n\nnginx-ui\n\n## Affected Versions\n\nAll versions up to and including v2.3.3\n\n## CWE\n\nCWE-639: Authorization Bypass Through User-Controlled Key\n\n## Description\n\n### Exposed DNS Provider Credentials\n\nThe `dns.Config` structure (`internal/cert/dns/config_env.go`) contains API credentials:\n\n```go\ntype Configuration struct {\n    Credentials map[string]string `json:\"credentials\"`  // API tokens here\n    Additional  map[string]string `json:\"additional\"`\n}\n```\n\n| Provider | Credential Fields | Impact if Leaked |\n|----------|------------------|------------------|\n| Cloudflare | `CF_API_TOKEN` | Full DNS zone control |\n| Alibaba Cloud DNS | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY` | Full DNS control + potential IAM access |\n| Tencent Cloud DNS | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY` | Full DNS control |\n| AWS Route53 | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` | Route53 + potential AWS access |\n| GoDaddy | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | DNS record modification |\n\n### Combined Attack: IDOR + Plaintext Storage\n\nWhen the IDOR vulnerability is combined with plaintext storage, attackers can directly extract API tokens from other users\u0027 resources:\n\n```\nAttack Chain:\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 1. Attacker authenticates with low-privilege account            \u2502\n\u2502 2. Uses IDOR to enumerate: /api/dns_credentials/1,2,3...      \u2502\n\u2502 3. Reads plaintext API tokens directly from HTTP response       \u2502\n\u2502 4. No decryption needed - tokens stored in cleartext            \u2502\n\u2502 5. Uses stolen tokens to:                                       \u2502\n\u2502    - Modify DNS records (domain hijacking)                      \u2502\n\u2502    - Issue fraudulent SSL certificates                          \u2502\n\u2502    - Pivot to cloud infrastructure                              \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n```\n\n### PoC: Extracting Plaintext Credentials via IDOR\n\n```bash\n# Attacker with low-privilege token accessing admin\u0027s DNS credential\ncurl -H \"Authorization: $ATTACKER_TOKEN\" \\\n     https://nginx-ui.example.com/api/dns_credentials/1\n\n# Response contains PLAINTEXT API token (no decryption required):\n{\n    \"id\": 1,\n    \"name\": \"Production Cloudflare\",\n    \"provider\": \"cloudflare\",\n    \"config\": {\n        \"credentials\": {\n            \"CF_API_TOKEN\": \"yhyQ7xR...plaintext_token_visible...\"\n        }\n    }\n}\n```\n\n### Updated CVSS Score with Plaintext Storage\n\nThe plaintext storage increases the confidentiality impact:\n\n**CVSS 3.1 Score: 8.8 (High)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`\n\n- **Scope Changed (S:C)**: Impact extends to external services (DNS providers, cloud platforms)\n- **High Confidentiality (C:H)**: Plaintext API tokens immediately usable\n- **High Integrity (I:H)**: DNS records, certificates can be modified\n- **High Availability (A:H)**: Services can be disrupted via DNS/certificate manipulation\n\n---\n\n### Attack Scenario: Certificate Hijacking\n\n```\n1. Attacker creates low-privilege account on nginx-ui\n2. Uses IDOR to enumerate all DNS credentials: /api/dns_credentials/1,2,3...\n3. Steals Cloudflare API token from admin\u0027s credential\n4. Uses token to:\n   - Modify DNS records\n   - Issue fraudulent Let\u0027s Encrypt certificates\n   - Intercept traffic to victim domains\n```\n\n## Credit\n\nDiscovered by security researcher during authorized security audit.\n\n## Recommendation\n\n### Immediate Mitigation\n\n1. **Add User Ownership to Models**\n\n```go\n// model/model.go\ntype Model struct {\n    ID        uint64          `gorm:\"primary_key\" json:\"id\"`\n    UserID    uint64          `gorm:\"index\" json:\"user_id\"`  // Add this field\n    CreatedAt time.Time       `json:\"created_at\"`\n    UpdatedAt time.Time       `json:\"updated_at\"`\n    DeletedAt *gorm.DeletedAt `gorm:\"index\" json:\"deleted_at,omitempty\"`\n}\n```\n\n2. **Filter Queries by Current User**\n\n```go\n// api/certificate/dns_credential.go\nfunc GetDnsCredential(c *gin.Context) {\n    id := cast.ToUint64(c.Param(\"id\"))\n    currentUser := c.MustGet(\"user\").(*model.User)\n\n    d := query.DnsCredential\n    dnsCredential, err := d.Where(\n        d.ID.Eq(id),\n        d.UserID.Eq(currentUser.ID),  // Add user filter\n    ).First()\n\n    if err != nil {\n        cosy.ErrHandler(c, err)\n        return\n    }\n    // ...\n}\n```\n\n3. **Add Authorization Middleware**\n\n```go\n// middleware/authorization.go\nfunc RequireOwnership(resourceType string) gin.HandlerFunc {\n    return func(c *gin.Context) {\n        currentUser := c.MustGet(\"user\").(*model.User)\n        resourceID := cast.ToUint64(c.Param(\"id\"))\n\n        // Check if resource belongs to current user\n        ownerID, err := getResourceOwner(resourceType, resourceID)\n        if err != nil || ownerID != currentUser.ID {\n            c.AbortWithStatusJSON(http.StatusForbidden, gin.H{\n                \"message\": \"Access denied\",\n            })\n            return\n        }\n        c.Next()\n    }\n}\n```\n\n### Database Migration\n\n```sql\n-- Add user_id column to all resource tables\nALTER TABLE dns_credentials ADD COLUMN user_id BIGINT;\nALTER TABLE certs ADD COLUMN user_id BIGINT;\nALTER TABLE acme_users ADD COLUMN user_id BIGINT;\nALTER TABLE sites ADD COLUMN user_id BIGINT;\nALTER TABLE streams ADD COLUMN user_id BIGINT;\nALTER TABLE configs ADD COLUMN user_id BIGINT;\n\n-- Set default owner for existing resources\nUPDATE dns_credentials SET user_id = 1 WHERE user_id IS NULL;\nUPDATE certs SET user_id = 1 WHERE user_id IS NULL;\n\n-- Add foreign key constraint\nALTER TABLE dns_credentials ADD CONSTRAINT fk_dns_credentials_user\n    FOREIGN KEY (user_id) REFERENCES users(id);\n```\n\n### Long-term Improvements\n\n1. Implement role-based access control (RBAC)\n2. Add audit logging for resource access\n3. Implement resource sharing functionality with explicit permissions\n4. Add integration tests for authorization checks\n\n---\n\n## Remediation for Plaintext Storage\n\n### Immediate Fix: Encrypt Sensitive Fields\n\nApply the same `serializer:json[aes]` pattern used for S3 credentials to DNS and ACME data:\n\n**model/dns_credential.go:**\n```go\ntype DnsCredential struct {\n    Model\n    Name         string      `json:\"name\"`\n    Config       *dns.Config `json:\"config,omitempty\" gorm:\"serializer:json[aes]\"` // Add AES encryption\n    Provider     string      `json:\"provider\"`\n    ProviderCode string      `json:\"provider_code\" gorm:\"index\"`\n}\n```\n\n**model/acme_user.go:**\n```go\ntype AcmeUser struct {\n    Model\n    // ...\n    Key PrivateKey `json:\"-\" gorm:\"serializer:json[aes]\"` // Add AES encryption\n    // ...\n}\n```\n\n### Data Migration\n\nExisting plaintext data must be re-saved to trigger encryption:\n\n```go\nfunc MigrateSensitiveData() error {\n    // Migrate DNS credentials\n    var dnsCreds []model.DnsCredential\n    query.DnsCredential.Find(\u0026dnsCreds)\n    for _, cred := range dnsCreds {\n        query.DnsCredential.Save(\u0026cred) // Re-save triggers AES encryption\n    }\n\n    // Migrate ACME users\n    var acmeUsers []model.AcmeUser\n    query.AcmeUser.Find(\u0026acmeUsers)\n    for _, user := range acmeUsers {\n        query.AcmeUser.Save(\u0026user)\n    }\n\n    return nil\n}\n```\n\n### Summary of Required Changes\n\n| File | Line | Current | Fix |\n|------|------|---------|-----|\n| `model/dns_credential.go` | 7 | `serializer:json` | `serializer:json[aes]` |\n| `model/acme_user.go` | Key field | `serializer:json` | `serializer:json[aes]` |\n\n## References\n\n- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)\n- [OWASP IDOR Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)\n- [PortSwigger: IDOR Vulnerabilities](https://portswigger.net/web-security/access-control/idor)\n\n## Disclosure Timeline\n\n- **2026-03-13**: Vulnerability discovered through source code audit\n- **2026-03-13**: Vulnerability successfully reproduced in local Docker environment\n- **2026-03-13**: All IDOR operations verified: READ, MODIFY, DELETE\n- **2026-03-13**: Security advisory prepared\n- **[Pending]**: Report submitted to nginx-ui maintainers\n- **[Pending]**: CVE ID requested\n- **[Pending]**: Patch developed and tested\n- **[Pending]**: Public disclosure (21-90 days after vendor notification)",
  "id": "GHSA-5hf2-vhj6-gj9m",
  "modified": "2026-03-30T21:26:12Z",
  "published": "2026-03-30T16:41:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33030"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/0xJacky/nginx-ui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys"
}

FKIE_CVE-2026-33030

Vulnerability from fkie_nvd - Published: 2026-03-30 18:16 - Updated: 2026-04-01 18:21

Severity ?

8.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
9.9 (Critical) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m	Exploit, Mitigation, Vendor Advisory
	134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m	Exploit, Mitigation, Vendor Advisory

Impacted products

	Vendor	Product	Version
	nginxui	nginx_ui	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD639632-5708-446A-80D7-4A289528D221",
              "versionEndIncluding": "2.3.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application\u0027s base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches."
    },
    {
      "lang": "es",
      "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. En las versiones 2.3.3 y anteriores, Nginx-UI contiene una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) que permite a cualquier usuario autenticado acceder, modificar y eliminar recursos pertenecientes a otros usuarios. La estructura base Model de la aplicaci\u00f3n carece de un campo user_id, y todos los puntos finales de recursos realizan consultas por ID sin verificar la propiedad del usuario, lo que permite una omisi\u00f3n completa de la autorizaci\u00f3n en entornos multiusuario. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."
    }
  ],
  "id": "CVE-2026-33030",
  "lastModified": "2026-04-01T18:21:15.343",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.0,
        "impactScore": 6.0,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.9,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.1,
        "impactScore": 6.0,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2026-03-30T18:16:19.243",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-78"
        },
        {
          "lang": "en",
          "value": "CWE-639"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Secondary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-33030 (GCVE-0-2026-33030)

GHSA-5HF2-VHJ6-GJ9M

Summary

Severity

Product

Affected Versions

CWE

Description

Exposed DNS Provider Credentials

Combined Attack: IDOR + Plaintext Storage

PoC: Extracting Plaintext Credentials via IDOR

Updated CVSS Score with Plaintext Storage

Attack Scenario: Certificate Hijacking

Credit

Recommendation

Immediate Mitigation

Database Migration

Long-term Improvements

Remediation for Plaintext Storage

Immediate Fix: Encrypt Sensitive Fields

Data Migration

Summary of Required Changes

References

Disclosure Timeline

FKIE_CVE-2026-33030

Tags

Sightings

Nomenclature