{"id":"CVE-2026-33030","summary":"Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys","details":"Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.","aliases":["GHSA-5hf2-vhj6-gj9m","GO-2026-4901"],"modified":"2026-04-10T05:42:33.922386Z","published":"2026-03-30T17:58:54.381Z","related":["SUSE-SU-2026:1205-1"],"database_specific":{"cwe_ids":["CWE-639","CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33030.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33030.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33030"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/0xjacky/nginx-ui","events":[{"introduced":"0"},{"last_affected":"e5da6dd96dae5567a7aaa27a4000a4762696d89c"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"2.3.3"}]}}],"versions":["v1.1.0","v1.2.0","v1.2.0-alpha.3","v1.2.0-alpha.4","v1.2.0-rc.1","v1.2.0-rc.2","v1.2.0-rc.3","v1.2.1","v1.2.2","v1.3.0","v1.3.0-rc1","v1.3.1","v1.3.1-fix","v1.3.2","v1.3.3-rc1","v1.4.0","v1.4.0-rc1","v1.4.1","v1.4.2","v1.5.0","v1.5.0-beta1","v1.5.0-beta2","v1.5.0-beta3","v1.5.0-beta4","v1.5.0-beta4-fix","v1.5.0-beta5","v1.5.0-beta6","v1.5.0-beta7","v1.5.0-beta8","v1.5.0-beta9","v1.5.1","v1.5.2","v1.6.0","v1.6.0-fix","v1.6.1","v1.6.2","v1.6.3","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.7.0","v1.7.0-patch","v1.7.1","v1.7.2","v1.7.3","v1.7.4","v1.7.5","v1.7.6","v1.7.7","v1.7.8","v1.7.9","v1.8.0","v1.8.1","v1.8.2","v1.8.3","v1.8.4","v1.8.4-patch","v1.9.9","v1.9.9-1","v1.9.9-2","v1.9.9-3","v1.9.9-4","v2.0.0","v2.0.0-beta.1","v2.0.0-beta.10","v2.0.0-beta.10-patch","v2.0.0-beta.11","v2.0.0-beta.12","v2.0.0-beta.13","v2.0.0-beta.13-patch","v2.0.0-beta.14","v2.0.0-beta.15","v2.0.0-beta.16","v2.0.0-beta.17","v2.0.0-beta.18","v2.0.0-beta.18-patch.1","v2.0.0-beta.18-patch.2","v2.0.0-beta.19","v2.0.0-beta.2","v2.0.0-beta.20","v2.0.0-beta.21","v2.0.0-beta.22","v2.0.0-beta.23","v2.0.0-beta.23-patch.1","v2.0.0-beta.23-patch.2","v2.0.0-beta.24","v2.0.0-beta.25","v2.0.0-beta.25-patch.1","v2.0.0-beta.25-patch.2","v2.0.0-beta.26","v2.0.0-beta.27","v2.0.0-beta.28","v2.0.0-beta.29","v2.0.0-beta.3","v2.0.0-beta.30","v2.0.0-beta.31","v2.0.0-beta.32","v2.0.0-beta.32-patch.1","v2.0.0-beta.33","v2.0.0-beta.34","v2.0.0-beta.35","v2.0.0-beta.36","v2.0.0-beta.37","v2.0.0-beta.37-patch.1","v2.0.0-beta.37-patch.2","v2.0.0-beta.37-patch.3","v2.0.0-beta.37-patch.4","v2.0.0-beta.37-patch.5","v2.0.0-beta.38","v2.0.0-beta.39","v2.0.0-beta.4","v2.0.0-beta.4-patch","v2.0.0-beta.40","v2.0.0-beta.41","v2.0.0-beta.42","v2.0.0-beta.5","v2.0.0-beta.5-patch","v2.0.0-beta.6","v2.0.0-beta.6-patch","v2.0.0-beta.6-patch.2","v2.0.0-beta.7","v2.0.0-beta.8","v2.0.0-beta.8-patch","v2.0.0-beta.9","v2.0.0-rc.1","v2.0.0-rc.1-patch.1","v2.0.0-rc.1-patch.2","v2.0.0-rc.2","v2.0.0-rc.3","v2.0.0-rc.3-patch.1","v2.0.0-rc.4","v2.0.0-rc.4-patch.1","v2.0.0-rc.4-patch.2","v2.0.0-rc.4-patch.3","v2.0.0-rc.5","v2.0.0-rc.6","v2.0.0-rc.6-patch.1","v2.0.0-rc.6-patch.2","v2.0.0-rc.6-patch.3","v2.0.0-rc.6-patch.4","v2.0.0-rc.6-patch.5","v2.0.0-rc.7","v2.0.0-rc.7-patch.2","v2.0.0-rc.7-patch.3","v2.0.0-rc.7-patch.4","v2.0.0-rc.7-patch.5","v2.0.0-rc.7-patch.6","v2.0.0-rc.7-patch.7","v2.0.0-rc.7-patch.8","v2.0.0-rc.8","v2.0.0-rc.8-patch.1","v2.0.1","v2.0.2","v2.1.0","v2.1.0-beta.1","v2.1.0-patch.1","v2.1.0-rc.1","v2.1.0-rc.2","v2.1.0-rc.3","v2.1.1","v2.1.10","v2.1.11","v2.1.12","v2.1.13","v2.1.14","v2.1.15","v2.1.16","v2.1.17","v2.1.2","v2.1.3","v2.1.4","v2.1.4-patch.1","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.0-patch.1","v2.2.1","v2.3.0","v2.3.1","v2.3.2","v2.3.3"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33030.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}