Is CVE-2026-33031 actively exploited?

CVE-2026-33031 has no public evidence of in-the-wild exploitation as of 2026-04-22.

What is the CVSS score for CVE-2026-33031?

CVE-2026-33031 has a CVSS score of 8.6 (HIGH severity). Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

How do I patch CVE-2026-33031?

Patch guidance is available from nginxui security advisories. CVEDatabase generates AI-assisted remediation guidance on demand for CVE-2026-33031.

Fix CVE-2026-33031 - HIGH nginxui nginx ui

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, a user who was disabled by an administrator can use previously issued API tokens for up to the token lifetime. In practice, disabling a compromised account does not actually terminate that user’s access, so an attacker who already stole a JWT can continue reading and modifying protected resources after the account is marked disabled. Since tokens can be used to create new accounts, it is possible the disabled user to maintain the privilege. Version 2.3.4 patches the issue.

CVSS Metrics

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector: network
Complexity: low
Privileges: low
User Action: none
Confidentiality: undefined
Integrity: undefined
Availability: undefined
Weaknesses: CWE-284 CWE-863 · Incorrect Authorization

Metadata

Primary Vendor: NGINXUI
Published: 4/20/2026
Last Modified: 4/22/2026
Source: NIST NVD
Note: Verify all details with official vendor sources before applying patches.

CVE-2026-33031

Description

CVSS Metrics

Metadata

Affected Products

Remediation Guidance

Executive Summary