CVE-2026-34403

Nginx-UI vulnerable to Cross-Site WebSocket Hijacking (CSWSH) via missing origin validation on all WebSocket endpoints

CVSS 5.5 MEDIUMEPSS 0.2%CWE-1385

In short

Nginx-UI allows attackers to hijack WebSocket connections from authenticated users by tricking them into visiting a malicious webpage. This happens because the application doesn't properly verify the origin of WebSocket requests and stores authentication tokens in cookies without proper security settings.

Technical detail

The vulnerability exists in gorilla/websocket Upgrader configuration with CheckOrigin unconditionally returning true, combined with authentication tokens stored in browser cookies lacking HttpOnly and explicit SameSite attributes. An attacker can perform CSWSH by hosting a malicious page that establishes authenticated WebSocket connections to a victim's nginx-ui instance when a logged-in administrator visits the attacker's site, potentially leading to unauthorized administrative actions.

Summary generated and translated by AI from the official description.

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Affected products

0xJacky · nginx-ui

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.5 https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-78mf-482w-62qj