CVE-2026-33030

Nginx-UI and Affected Versions Nginx-UI versions 2.3.3 and prior

Description Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. The dns.Config structure contains API credentials, including CF API TOKEN for Cloudflare, ALICLOUD ACCESS KEY and ALICLOUD SECRET KEY for Alibaba Cloud DNS, TENCENTCLOUD SECRET ID and TENCENTCLOUD SECRET KEY for Tencent Cloud DNS, AWS ACCESS KEY ID and AWS SECRET ACCESS KEY for AWS Route53, and GODADDY API KEY and GODADDY API SECRET for GoDaddy. The combination of the IDOR vulnerability and plaintext storage of these credentials allows attackers to extract API tokens from other users' resources, potentially leading to DNS record modification, fraudulent SSL certificate issuance, and pivoting to cloud infrastructure. The application's base Model struct lacks a user id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.

Recommendations Versions prior to and including 2.3.3: Add a user id field to the base Model struct. Filter queries by the current user's ID. Add authorization middleware to verify resource ownership. Migrate existing data to include the user id and encrypt sensitive fields like DNS and ACME data using AES encryption.