CVE-2026-34403
published 2026-04-20CVE-2026-34403: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with…
PriorityP343high8.1CVSS 3.1
AVNACLPRNUIRSUCHIHAN
EPSS
0.18%
7.3th percentile
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < 2.3.5 | 2.3.5 |
| github.com | 0xjacky_nginx-ui | >= 0 < 1.9.10-0.20260316053337-1a9cd29a3082 | 1.9.10-0.20260316053337-1a9cd29a3082 |
| nginxui | nginx_ui | < 2.3.5 | 2.3.5 |
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
nvdv4.05.5MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
0xJacky nginx-ui up to 2.3.4 gorilla/websocket missing origin validation in websockets (GHSA-78mf-482w-62qj / WID-SEC-2026-1188)
vuldb·2026-04-22·CVSS 5.5
CVE-2026-34403 [MEDIUM] 0xJacky nginx-ui up to 2.3.4 gorilla/websocket missing origin validation in websockets (GHSA-78mf-482w-62qj / WID-SEC-2026-1188)
A vulnerability was found in 0xJacky nginx-ui up to 2.3.4 and classified as problematic. The impacted element is an unknown function of the component gorilla/websocket. Such manipulation leads to missing origin validation in websockets.
This vulnerability is documented as CVE-2026-34403. The attack can be executed remotely. There is not any exploit available.
It is suggested to upgrade the affected component.
GHSA
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
ghsa·2026-04-21
CVE-2026-34403 [HIGH] CWE-1385 Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
Nginx-UI: Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints
## Summary
All WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page.
## Details
### Vulnerable Code Pattern
Every WebSocket endpoint in the codebase uses the same unsafe upgrader configuration:
```go
// Found in: api/terminal/pty.go, api/analytic/analytic.go, api/e
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-20
Published