cbcvebase.
CVE-2026-33030
published 2026-03-30

CVE-2026-33030: Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR)…

PriorityP263critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.28%
19.7th percentile
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.

Affected

3 ranges
VendorProductVersion rangeFixed in
0xjackynginx-ui<= 2.3.3
github.com0xjacky_nginx-ui0 – 1.99
nginxuinginx_ui<= 2.3.3

Detection & IOCsextracted from sources · hover to see the quote

  • All resource endpoints in Nginx UI perform queries by ID without verifying user ownership — monitor for authenticated users accessing, modifying, or deleting resource IDs that do not belong to their account (cross-user ID enumeration pattern)
  • The application's base Model struct lacks a user_id field; absence of user_id ownership checks in database queries is the root structural indicator of the IDOR condition
  • ·No patch is available for CVE-2026-33030 as of publication; affected versions are 2.3.3 and prior with no fix released
  • ·The vulnerability affects multi-user Nginx UI deployments; single-user deployments have reduced exposure but the authorization bypass is still present in the codebase
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.