{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34403", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-27T13:45:29.620Z", "datePublished": "2026-04-20T20:16:47.597Z", "dateUpdated": "2026-04-21T13:36:46.510Z"}, "containers": {"cna": {"title": "Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints", "problemTypes": [{"descriptions": [{"cweId": "CWE-1385", "lang": "en", "description": "CWE-1385: Missing Origin Validation in WebSockets", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "version": "4.0"}}], "references": [{"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj"}, {"name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5", "tags": ["x_refsource_MISC"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5"}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"version": "< 2.3.5", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:16:47.597Z"}, "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue."}], "source": {"advisory": "GHSA-78mf-482w-62qj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-21T13:36:34.314909Z", "id": "CVE-2026-34403", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:36:46.510Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34403", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-21T13:36:34.314909Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-21T13:36:39.685Z"}}], "cna": {"title": "Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints", "source": {"advisory": "GHSA-78mf-482w-62qj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"status": "affected", "version": "< 2.3.5"}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj", "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5", "name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1385", "description": "CWE-1385: Missing Origin Validation in WebSockets"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-20T20:16:47.597Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34403", "state": "PUBLISHED", "dateUpdated": "2026-04-21T13:36:46.510Z", "dateReserved": "2026-03-27T13:45:29.620Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-20T20:16:47.597Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "matchCriteriaId": "E34E1B0C-93FE-42B5-BD62-2C25094D5C14", "versionEndExcluding": "2.3.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue."}], "id": "CVE-2026-34403", "lastModified": "2026-04-22T17:35:42.613", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-20T21:16:36.267", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1385"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.5)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nginx-ui", "source": "cna", "vendor": "0xJacky"}, "product": "nginx-ui", "vendor": "0xjacky"}], "analysis": {"en": {"generated_at": "2026-04-22T03:27:51.756388+00:00", "value": {"mitigation_remediation": ["Update nginx\u2011UI to version 2.3.5 or later to apply the origin\u2011validation patch.", "Ensure administrators do not remain logged in while browsing untrusted sites; impose session timeouts or enforce a policy that requires re\u2011authentication before accessing high\u2011privilege functions.", "If an immediate upgrade is not feasible, place a reverse\u2011proxy or web\u2011garden in front of nginx\u2011UI that validates the Origin header for WebSocket connections, adding an extra layer of enforcement until the upstream application can be updated."], "summary": {"action": "Patch immediately", "impact": "Cross\u2011Site WebSocket Hijacking enabling authenticated actions on nginx\u2011UI"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the nginx\u2011UI web user interface developed by 0xJacky. All releases prior to version 2.3.5 are vulnerable; the issue was fixed in release 2.3.5 and later.", "description_and_impact": "Based on the description, it is inferred that the likely attack vector involves a malicious webpage establishing a WebSocket connection to nginx\u2011UI. The flaw arises from nginx\u2011UI\u2019s WebSocket endpoints using a gorilla/websocket Upgrader that unconditionally accepts any Origin header, effectively disabling origin validation. Consequently, a malicious webpage can open a WebSocket connection to an nginx\u2011UI instance and, if an administrator is already logged in, the browser will automatically supply the authentication cookie. Because this cookie is set via JavaScript without HttpOnly or SameSite attributes, client\u2011side scripts can also read it, allowing the attacker to impersonate the administrator and perform any action the legitimate user could, including altering configuration or uploading files.", "risk_and_exploitability": "The CVSS score of 5.5 indicates moderate severity. The EPSS score of <1% and the fact that the vulnerability is not listed in CISA\u2019s KEV catalog suggest limited exploitation to date. Exploitation requires an administrator who is logged into the nginx\u2011UI to visit a malicious page; the attacker only needs to serve a crafted web page, making it a client\u2011side attack that can be launched from any network reachable by the victim\u2019s browser. The absence of HttpOnly or SameSite attributes in the authentication cookie further lowers the barrier to exploitation, but the overall risk remains moderate until the fix is applied."}}}}, "created": "2026-04-20T22:30:19.705178+00:00", "updated": "2026-04-22T03:30:06.690640+00:00", "vendors": ["0xjacky", "0xjacky$PRODUCT$nginx-ui"]}