CVE-2026-33031

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4

Description A user disabled by an administrator can continue using previously issued API tokens until the token lifetime expires. This occurs because token-based authentication fails to verify the user.Status variable, unlike the login process. Consequently, an attacker with a stolen JSON Web Token (JWT)—a compact, URL-safe means of representing claims to be transferred between two parties—can continue reading and modifying protected resources. Furthermore, because these tokens can be used to create new accounts, a disabled user may maintain their privileges indefinitely.

Recommendations Update to version 2.3.4.