Nginx-UI, Authentication Bypass, High severity (CVE not applicable)

Listen to this Post

How the mentioned CVE works:

The vulnerability arises because Nginx-UI fails to invalidate bearer tokens (JWTs) when an administrator disables a user account. The login handler correctly checks the user’s status (enabled/disabled) before issuing a token. However, the token-based authentication middleware only validates the token’s signature, expiry, and structure; it does not verify whether the user associated with the token is still active. Specifically, in internal/user/user.go, the token extraction logic returns a user object without checking user.Status. There is no token revocation mechanism, unlike when a password is changed (where tokens are cleared). As a result, a disabled user can continue using their previously obtained JWT for the entire token lifetime. Because the API allows account creation, the disabled user can create a new account before the token expires, thereby maintaining persistent access. The attack bypasses the intended “disable user” control, effectively rendering account deactivation useless if a token has already been stolen or is still held by a malicious actor. The issue affects all versions before the patched commit 7b66578adb47 (release 1.9.10-0.20260314152518). The PoC uses the uozi/nginx-ui:sha-c92ec0a Docker image to demonstrate that a disabled user retains full API read/write capabilities, including creating new user accounts.

dailycve form:

Platform: Nginx-UI
Version: < 1.9.10-0.20260314152518
Vulnerability: Token revocation missing
Severity: High
Date: Apr 21 2026

Prediction: 14 March 2026

What Undercode Say:

Analytics:

Check if token validation skips user status

grep -A 10 “func GetUserFromToken” internal/user/user.go

Simulate disabled user with existing JWT

curl -H “Authorization: Bearer ” \

http://nginx-ui/api/users

List users to confirm disabled account still active

curl -H “Authorization: Bearer ” \

http://nginx-ui/api/users/list

Create new account using disabled user’s token

curl -X POST -H “Authorization: Bearer ” \

-d ‘{“username”:”backdoor”,”password”:”pwn”}’ \
http://nginx-ui/api/user/create

Exploit:

  1. Attacker steals a valid JWT from an account (e.g., via XSS or network sniffing).

2. Administrator disables that account after detecting compromise.

  1. Attacker continues using the same JWT to call any API endpoint (GET configs, POST changes, create new users).
  2. Even after JWT expiry, the attacker can use the token to create a fresh enabled account, gaining permanent foothold.

Protection from this CVE

  • Upgrade to patched version >= 1.9.10-0.20260314152518.
  • Implement middleware that checks user.Status on every authenticated request.
  • Enforce short JWT lifetimes (e.g., 15 minutes) and force re-authentication.
  • Add token blacklist/revocation table in database, invalidating tokens on user disable or password change.
  • Monitor logs for API calls from disabled user IDs.

Impact

  • Complete bypass of account disable mechanism.
  • Disabled users retain read access to sensitive configs (nginx configs, proxy settings) and write access to modify them.
  • Attackers can create new admin accounts, escalating privileges.
  • Administrators lose trust in “disable user” as a security control, leading to undetected lateral movement.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top