Listen to this Post
How the mentioned CVE works:
The vulnerability arises because Nginx-UI fails to invalidate bearer tokens (JWTs) when an administrator disables a user account. The login handler correctly checks the user’s status (enabled/disabled) before issuing a token. However, the token-based authentication middleware only validates the token’s signature, expiry, and structure; it does not verify whether the user associated with the token is still active. Specifically, in internal/user/user.go, the token extraction logic returns a user object without checking user.Status. There is no token revocation mechanism, unlike when a password is changed (where tokens are cleared). As a result, a disabled user can continue using their previously obtained JWT for the entire token lifetime. Because the API allows account creation, the disabled user can create a new account before the token expires, thereby maintaining persistent access. The attack bypasses the intended “disable user” control, effectively rendering account deactivation useless if a token has already been stolen or is still held by a malicious actor. The issue affects all versions before the patched commit 7b66578adb47 (release 1.9.10-0.20260314152518). The PoC uses the uozi/nginx-ui:sha-c92ec0a Docker image to demonstrate that a disabled user retains full API read/write capabilities, including creating new user accounts.
dailycve form:
Platform: Nginx-UI
Version: < 1.9.10-0.20260314152518
Vulnerability: Token revocation missing
Severity: High
Date: Apr 21 2026
Prediction: 14 March 2026
What Undercode Say:
Analytics:
Check if token validation skips user status
grep -A 10 “func GetUserFromToken” internal/user/user.go
Simulate disabled user with existing JWT
curl -H “Authorization: Bearer ” \
http://nginx-ui/api/users
List users to confirm disabled account still active
curl -H “Authorization: Bearer ” \
http://nginx-ui/api/users/list
Create new account using disabled user’s token
curl -X POST -H “Authorization: Bearer ” \
-d ‘{“username”:”backdoor”,”password”:”pwn”}’ \
http://nginx-ui/api/user/create
Exploit:
- Attacker steals a valid JWT from an account (e.g., via XSS or network sniffing).
2. Administrator disables that account after detecting compromise.
- Attacker continues using the same JWT to call any API endpoint (GET configs, POST changes, create new users).
- Even after JWT expiry, the attacker can use the token to create a fresh enabled account, gaining permanent foothold.
Protection from this CVE
- Upgrade to patched version >= 1.9.10-0.20260314152518.
- Implement middleware that checks user.Status on every authenticated request.
- Enforce short JWT lifetimes (e.g., 15 minutes) and force re-authentication.
- Add token blacklist/revocation table in database, invalidating tokens on user disable or password change.
- Monitor logs for API calls from disabled user IDs.
Impact
- Complete bypass of account disable mechanism.
- Disabled users retain read access to sensitive configs (nginx configs, proxy settings) and write access to modify them.
- Attackers can create new admin accounts, escalating privileges.
- Administrators lose trust in “disable user” as a security control, leading to undetected lateral movement.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

