CVE-2026-33031: Nginx-UI: Disabled users retain full API access through previously issued bearer tokens

April 21, 2026 (updated April 27, 2026)

A user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled.

Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege.

References

github.com/0xJacky/nginx-ui
github.com/0xJacky/nginx-ui/commit/7b66578adb47bbec839b621a4666495249379174
github.com/0xJacky/nginx-ui/releases/tag/v2.3.4
github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v
github.com/advisories/GHSA-x234-x5vq-cc2v
nvd.nist.gov/vuln/detail/CVE-2026-33031

Code Behaviors & Features

Detect and mitigate CVE-2026-33031 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →