{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33030", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.669Z", "datePublished": "2026-03-30T17:58:54.381Z", "dateUpdated": "2026-03-31T19:09:45.914Z"}, "containers": {"cna": {"title": "Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"version": "<= 2.3.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:58:54.381Z"}, "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-5hf2-vhj6-gj9m", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T18:39:20.785778Z", "id": "CVE-2026-33030", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T19:09:45.914Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys", "source": {"advisory": "GHSA-5hf2-vhj6-gj9m", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"status": "affected", "version": "<= 2.3.3"}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m", "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639: Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:58:54.381Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33030", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T18:39:20.785778Z"}}}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-31T19:07:31.225Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33030", "state": "PUBLISHED", "dateUpdated": "2026-03-30T17:58:54.381Z", "dateReserved": "2026-03-17T17:22:14.669Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T17:58:54.381Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD639632-5708-446A-80D7-4A289528D221", "versionEndIncluding": "2.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. En las versiones 2.3.3 y anteriores, Nginx-UI contiene una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) que permite a cualquier usuario autenticado acceder, modificar y eliminar recursos pertenecientes a otros usuarios. La estructura base Model de la aplicaci\u00f3n carece de un campo user_id, y todos los puntos finales de recursos realizan consultas por ID sin verificar la propiedad del usuario, lo que permite una omisi\u00f3n completa de la autorizaci\u00f3n en entornos multiusuario. En el momento de la publicaci\u00f3n, no hay parches disponibles p\u00fablicamente."}], "id": "CVE-2026-33030", "lastModified": "2026-04-01T18:21:15.343", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.0, "impactScore": 6.0, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.9, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-30T18:16:19.243", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-639"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.3]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nginx-ui", "source": "cna", "vendor": "0xJacky"}, "product": "nginx-ui", "vendor": "0xjacky"}], "analysis": {"en": {"generated_at": "2026-03-30T19:22:50.530593+00:00", "value": {"mitigation_remediation": ["Disable or remove the vulnerable nginx-ui installation until a vendor patch becomes available.", "Restrict authenticated UI access to only trusted, high\u2011privileged users or enforce role\u2011based access control to limit actions.", "Audit all existing DNS API tokens and ACME private keys, revoke compromised credentials, and regenerate new ones.", "Monitor system logs for unauthorized modifications or unexpected token usage.", "Apply the vendor\u2011released fix or upgrade to a patched version as soon as it is released."], "summary": {"action": "Assess Impact", "impact": "Unauthorized access and modification of other users' resources through authentication bypass."}, "threat_synthesis": {"affected_systems": "The affected product is 0xJacky\u2019s nginx-ui, specifically all releases 2.3.3 and below.", "description_and_impact": "Nginx UI versions 2.3.3 and earlier contain an Insecure Direct Object Reference flaw that permits any authenticated user to read, change, or delete other users' data. The vulnerability stems from missing ownership checks on resource endpoints, allowing complete authorization bypass. Attackers can take control of other users\u2019 accounts, manipulate configurations, and potentially steal sensitive DNS API tokens or ACME private keys stored by other users.", "risk_and_exploitability": "The flaw receives a high severity CVSS score of 8.8, indicating substantial impact if exploited. No EPSS data is available, and it is not listed in CISA\u2019s KEV catalog, suggesting that exploitable code has not yet been widely recorded. The attack vector is inferred to be authenticated access to the UI; an attacker must first log in to the web interface to trigger the bypass. Once authenticated, the attacker can perform unauthorized CRUD operations on any resource."}}}}, "created": "2026-03-30T20:55:21.592699+00:00", "updated": "2026-03-31T20:40:34.392041+00:00", "vendors": ["0xjacky", "0xjacky$PRODUCT$nginx-ui"]}