GHSA-X234-X5VQ-CC2V
Vulnerability from github – Published: 2026-04-21 15:00 – Updated: 2026-04-21 15:01Summary
A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled.
Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege.
Details
The application exposes an account-level disable control through the users management API. Login process correctly enforces that control: https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/login.go#L29-L31
However, token-based authentication does not enforce the same check (This code validates token structure and expiry, but returns that user object without checking user.Status.):
https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/user.go#L44-L139
There’s also no token revocation feature, unlike when a password is changed: https://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/api/user/user.go#L38-L51
As a result, a disabled user can continue to have full API access. In particular, since that includes account creation, they can create a new account and keep operating even after the JWT expires.
PoC
The issue was validated with version 2.3.3 using the uozi/nginx-ui:sha-c92ec0a docker image.
View the PoC video:
https://github.com/user-attachments/assets/7a5175cb-2f79-4c1b-adad-e7d0bf2ea2bd
Impact
Administrators who rely on "disable user" as an authentication or authorization control can be bypassed.
The disabled user can keep reading sensitive configuration and executing authenticated state-changing actions allowed to that account.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.9.10-0.20260314152518-7b66578adb47"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33031"
],
"database_specific": {
"cwe_ids": [
"CWE-284",
"CWE-863"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-21T15:00:44Z",
"nvd_published_at": "2026-04-20T21:16:32Z",
"severity": "HIGH"
},
"details": "### Summary\n\nA user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user\u2019s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled.\n\nSince tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege.\n\n### Details\n\nThe application exposes an account-level disable control through the users management API. Login process correctly enforces that control:\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/login.go#L29-L31\n\nHowever, token-based authentication does not enforce the same check (This code validates token structure and expiry, but returns that user object without checking `user.Status`.):\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/internal/user/user.go#L44-L139\n\nThere\u2019s also no token revocation feature, unlike when a password is changed:\nhttps://github.com/0xJacky/nginx-ui/blob/6ec542fd97abf2c5950f374f78a32938ad0030e6/api/user/user.go#L38-L51\n\nAs a result, a disabled user can continue to have full API access. In particular, since that includes account creation, they can create a new account and keep operating even after the JWT expires.\n\n### PoC\n\nThe issue was validated with version 2.3.3 using the `uozi/nginx-ui:sha-c92ec0a` docker image.\n\nView the PoC video:\n\n\nhttps://github.com/user-attachments/assets/7a5175cb-2f79-4c1b-adad-e7d0bf2ea2bd\n\n\n\n### Impact\n\nAdministrators who rely on \"disable user\" as an authentication or authorization control can be bypassed.\n\nThe disabled user can keep reading sensitive configuration and executing authenticated state-changing actions allowed to that account.",
"id": "GHSA-x234-x5vq-cc2v",
"modified": "2026-04-21T15:01:11Z",
"published": "2026-04-21T15:00:44Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33031"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/commit/7b66578adb47bbec839b621a4666495249379174"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Nginx-UI: Disabled users retain full API access through previously issued bearer tokens"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.