CVE-2026-34403 - Vulnerability Details

CVE-2026-34403 - Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
0xjacky	Nginx-ui

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
0xjacky	Nginx-ui

References

Link	Providers
https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj

History

Mon, 20 Apr 2026 22:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		0xjacky 0xjacky nginx-ui
Vendors & Products		0xjacky 0xjacky nginx-ui

Mon, 20 Apr 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.
Title		Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
Weaknesses		CWE-1385
References		https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5 https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj
Metrics		cvssV4_0 `{'score': 5.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}`

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-20T20:16:47.597Z

Updated: 2026-04-20T20:16:47.597Z

Reserved: 2026-03-27T13:45:29.620Z

Link: CVE-2026-34403

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-04-20T21:16:36.267

Modified: 2026-04-20T21:16:36.267

Link: CVE-2026-34403

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T22:30:19Z

Metrics

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction Active

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object