{ "document": { "category": "csaf_base", "csaf_version": "2.0", "distribution": { "tlp": { "label": "WHITE" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings." } ], "publisher": { "category": "coordinator", "contact_details": "cert@ncsc.nl", "name": "National Cyber Security Centre", "namespace": "https://www.ncsc.nl/" }, "title": "CVE-2026-33030", "tracking": { "current_release_date": "2026-04-01T22:58:59.063863Z", "generator": { "date": "2026-02-17T15:00:00Z", "engine": { "name": "V.E.L.M.A", "version": "1.7" } }, "id": "CVE-2026-33030", "initial_release_date": "2026-03-30T17:42:07.030120Z", "revision_history": [ { "date": "2026-03-30T17:42:07.030120Z", "number": "1", "summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)." }, { "date": "2026-03-30T17:42:12.366105Z", "number": "2", "summary": "NCSC Score created." }, { "date": "2026-03-30T18:26:32.640665Z", "number": "3", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (1).| CWES updated (1)." }, { "date": "2026-03-30T18:26:34.725408Z", "number": "4", "summary": "NCSC Score updated." }, { "date": "2026-03-30T18:39:52.881357Z", "number": "5", "summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products created (1).| References created (1).| CWES updated (1)." }, { "date": "2026-03-30T18:39:55.130471Z", "number": "6", "summary": "NCSC Score updated." }, { "date": "2026-03-30T22:12:52.721152Z", "number": "7", "summary": "References created (1)." }, { "date": "2026-03-31T12:05:48.309491Z", "number": "8", "summary": "Source connected.| CVE status created. (valid)| Products connected (1).| References created (15)." }, { "date": "2026-03-31T12:05:53.584296Z", "number": "9", "summary": "NCSC Score updated." }, { "date": "2026-03-31T16:58:06.207360Z", "number": "10", "summary": "Source connected.| CVE status created. (valid)| EPSS created." }, { "date": "2026-03-31T16:58:09.278671Z", "number": "11", "summary": "NCSC Score updated." }, { "date": "2026-03-31T19:39:05.570092Z", "number": "12", "summary": "Unknown change." }, { "date": "2026-04-01T22:58:56.260137Z", "number": "13", "summary": "Products created (1).| Product Identifiers created (1).| Exploits created (1)." }, { "date": "2026-04-01T22:58:58.416346Z", "number": "14", "summary": "NCSC Score updated." } ], "status": "interim", "version": "14" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/ui <2.3.4", "product": { "name": "vers:unknown/ui <2.3.4", "product_id": "CSAFPID-5968318" } } ], "category": "product_name", "name": "NGINX" } ], "category": "vendor", "name": "NGINX" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=2.3.3", "product": { "name": "vers:unknown/<=2.3.3", "product_id": "CSAFPID-5965563" } } ], "category": "product_name", "name": "nginx-ui" } ], "category": "vendor", "name": "0xJacky" }, { "branches": [ { "branches": [ { "category": "product_version_range", "name": "vers:unknown/<=2.3.3", "product": { "name": "vers:unknown/<=2.3.3", "product_id": "CSAFPID-5982830", "product_identification_helper": { "cpe": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*" } } } ], "category": "product_name", "name": "nginx_ui" } ], "category": "vendor", "name": "nginxui" } ] }, "vulnerabilities": [ { "cve": "CVE-2026-33030", "cwe": { "id": "CWE-639", "name": "Authorization Bypass Through User-Controlled Key" }, "notes": [ { "category": "description", "text": "## Summary\n\nNginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base `Model` struct lacks a `user_id` field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.\n\n## Severity\n\n**High** - CVSS 3.1 Score: **8.8 (High)**\n\nVector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`\n\n**Note**: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immediate credential theft without decryption.\n\n## Product\n\nnginx-ui\n\n## Affected Versions\n\nAll versions up to and including v2.3.3\n\n## CWE\n\nCWE-639: Authorization Bypass Through User-Controlled Key\n\n## Description\n\n### Exposed DNS Provider Credentials\n\nThe `dns.Config` structure (`internal/cert/dns/config_env.go`) contains API credentials:\n\n```go\ntype Configuration struct {\n Credentials map[string]string `json:\"credentials\"` // API tokens here\n Additional map[string]string `json:\"additional\"`\n}\n```\n\n| Provider | Credential Fields | Impact if Leaked |\n|----------|------------------|------------------|\n| Cloudflare | `CF_API_TOKEN` | Full DNS zone control |\n| Alibaba Cloud DNS | `ALICLOUD_ACCESS_KEY`, `ALICLOUD_SECRET_KEY` | Full DNS control + potential IAM access |\n| Tencent Cloud DNS | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY` | Full DNS control |\n| AWS Route53 | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY` | Route53 + potential AWS access |\n| GoDaddy | `GODADDY_API_KEY`, `GODADDY_API_SECRET` | DNS record modification |\n\n### Combined Attack: IDOR + Plaintext Storage\n\nWhen the IDOR vulnerability is combined with plaintext storage, attackers can directly extract API tokens from other users' resources:\n\n```\nAttack Chain:\n┌─────────────────────────────────────────────────────────────────┐\n│ 1. Attacker authenticates with low-privilege account │\n│ 2. Uses IDOR to enumerate: /api/dns_credentials/1,2,3... │\n│ 3. Reads plaintext API tokens directly from HTTP response │\n│ 4. No decryption needed - tokens stored in cleartext │\n│ 5. Uses stolen tokens to: │\n│ - Modify DNS records (domain hijacking) │\n│ - Issue fraudulent SSL certificates │\n│ - Pivot to cloud infrastructure │\n└─────────────────────────────────────────────────────────────────┘\n```\n\n### PoC: Extracting Plaintext Credentials via IDOR\n\n```bash\n# Attacker with low-privilege token accessing admin's DNS credential\ncurl -H \"Authorization: $ATTACKER_TOKEN\" \\\n https://nginx-ui.example.com/api/dns_credentials/1\n\n# Response contains PLAINTEXT API token (no decryption required):\n{\n \"id\": 1,\n \"name\": \"Production Cloudflare\",\n \"provider\": \"cloudflare\",\n \"config\": {\n \"credentials\": {\n \"CF_API_TOKEN\": \"yhyQ7xR...plaintext_token_visible...\"\n }\n }\n}\n```\n\n### Updated CVSS Score with Plaintext Storage\n\nThe plaintext storage increases the confidentiality impact:\n\n**CVSS 3.1 Score: 8.8 (High)**\n\nVector: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`\n\n- **Scope Changed (S:C)**: Impact extends to external services (DNS providers, cloud platforms)\n- **High Confidentiality (C:H)**: Plaintext API tokens immediately usable\n- **High Integrity (I:H)**: DNS records, certificates can be modified\n- **High Availability (A:H)**: Services can be disrupted via DNS/certificate manipulation\n\n---\n\n### Attack Scenario: Certificate Hijacking\n\n```\n1. Attacker creates low-privilege account on nginx-ui\n2. Uses IDOR to enumerate all DNS credentials: /api/dns_credentials/1,2,3...\n3. Steals Cloudflare API token from admin's credential\n4. Uses token to:\n - Modify DNS records\n - Issue fraudulent Let's Encrypt certificates\n - Intercept traffic to victim domains\n```\n\n## Credit\n\nDiscovered by security researcher during authorized security audit.\n\n## Recommendation\n\n### Immediate Mitigation\n\n1. **Add User Ownership to Models**\n\n```go\n// model/model.go\ntype Model struct {\n ID uint64 `gorm:\"primary_key\" json:\"id\"`\n UserID uint64 `gorm:\"index\" json:\"user_id\"` // Add this field\n CreatedAt time.Time `json:\"created_at\"`\n UpdatedAt time.Time `json:\"updated_at\"`\n DeletedAt *gorm.DeletedAt `gorm:\"index\" json:\"deleted_at,omitempty\"`\n}\n```\n\n2. **Filter Queries by Current User**\n\n```go\n// api/certificate/dns_credential.go\nfunc GetDnsCredential(c *gin.Context) {\n id := cast.ToUint64(c.Param(\"id\"))\n currentUser := c.MustGet(\"user\").(*model.User)\n\n d := query.DnsCredential\n dnsCredential, err := d.Where(\n d.ID.Eq(id),\n d.UserID.Eq(currentUser.ID), // Add user filter\n ).First()\n\n if err != nil {\n cosy.ErrHandler(c, err)\n return\n }\n // ...\n}\n```\n\n3. **Add Authorization Middleware**\n\n```go\n// middleware/authorization.go\nfunc RequireOwnership(resourceType string) gin.HandlerFunc {\n return func(c *gin.Context) {\n currentUser := c.MustGet(\"user\").(*model.User)\n resourceID := cast.ToUint64(c.Param(\"id\"))\n\n // Check if resource belongs to current user\n ownerID, err := getResourceOwner(resourceType, resourceID)\n if err != nil || ownerID != currentUser.ID {\n c.AbortWithStatusJSON(http.StatusForbidden, gin.H{\n \"message\": \"Access denied\",\n })\n return\n }\n c.Next()\n }\n}\n```\n\n### Database Migration\n\n```sql\n-- Add user_id column to all resource tables\nALTER TABLE dns_credentials ADD COLUMN user_id BIGINT;\nALTER TABLE certs ADD COLUMN user_id BIGINT;\nALTER TABLE acme_users ADD COLUMN user_id BIGINT;\nALTER TABLE sites ADD COLUMN user_id BIGINT;\nALTER TABLE streams ADD COLUMN user_id BIGINT;\nALTER TABLE configs ADD COLUMN user_id BIGINT;\n\n-- Set default owner for existing resources\nUPDATE dns_credentials SET user_id = 1 WHERE user_id IS NULL;\nUPDATE certs SET user_id = 1 WHERE user_id IS NULL;\n\n-- Add foreign key constraint\nALTER TABLE dns_credentials ADD CONSTRAINT fk_dns_credentials_user\n FOREIGN KEY (user_id) REFERENCES users(id);\n```\n\n### Long-term Improvements\n\n1. Implement role-based access control (RBAC)\n2. Add audit logging for resource access\n3. Implement resource sharing functionality with explicit permissions\n4. Add integration tests for authorization checks\n\n---\n\n## Remediation for Plaintext Storage\n\n### Immediate Fix: Encrypt Sensitive Fields\n\nApply the same `serializer:json[aes]` pattern used for S3 credentials to DNS and ACME data:\n\n**model/dns_credential.go:**\n```go\ntype DnsCredential struct {\n Model\n Name string `json:\"name\"`\n Config *dns.Config `json:\"config,omitempty\" gorm:\"serializer:json[aes]\"` // Add AES encryption\n Provider string `json:\"provider\"`\n ProviderCode string `json:\"provider_code\" gorm:\"index\"`\n}\n```\n\n**model/acme_user.go:**\n```go\ntype AcmeUser struct {\n Model\n // ...\n Key PrivateKey `json:\"-\" gorm:\"serializer:json[aes]\"` // Add AES encryption\n // ...\n}\n```\n\n### Data Migration\n\nExisting plaintext data must be re-saved to trigger encryption:\n\n```go\nfunc MigrateSensitiveData() error {\n // Migrate DNS credentials\n var dnsCreds []model.DnsCredential\n query.DnsCredential.Find(&dnsCreds)\n for _, cred := range dnsCreds {\n query.DnsCredential.Save(&cred) // Re-save triggers AES encryption\n }\n\n // Migrate ACME users\n var acmeUsers []model.AcmeUser\n query.AcmeUser.Find(&acmeUsers)\n for _, user := range acmeUsers {\n query.AcmeUser.Save(&user)\n }\n\n return nil\n}\n```\n\n### Summary of Required Changes\n\n| File | Line | Current | Fix |\n|------|------|---------|-----|\n| `model/dns_credential.go` | 7 | `serializer:json` | `serializer:json[aes]` |\n| `model/acme_user.go` | Key field | `serializer:json` | `serializer:json[aes]` |\n\n## References\n\n- [CWE-639: Authorization Bypass Through User-Controlled Key](https://cwe.mitre.org/data/definitions/639.html)\n- [OWASP IDOR Prevention Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Insecure_Direct_Object_Reference_Prevention_Cheat_Sheet.html)\n- [PortSwigger: IDOR Vulnerabilities](https://portswigger.net/web-security/access-control/idor)\n\n## Disclosure Timeline\n\n- **2026-03-13**: Vulnerability discovered through source code audit\n- **2026-03-13**: Vulnerability successfully reproduced in local Docker environment\n- **2026-03-13**: All IDOR operations verified: READ, MODIFY, DELETE\n- **2026-03-13**: Security advisory prepared\n- **[Pending]**: Report submitted to nginx-ui maintainers\n- **[Pending]**: CVE ID requested\n- **[Pending]**: Patch developed and tested\n- **[Pending]**: Public disclosure (21-90 days after vendor notification)", "title": "github - https://api.github.com/advisories/GHSA-5hf2-vhj6-gj9m" }, { "category": "description", "text": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.", "title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33030" }, { "category": "description", "text": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.", "title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33030.json" }, { "category": "other", "text": "0.00019", "title": "EPSS" }, { "category": "other", "text": "4.4", "title": "NCSC Score" }, { "category": "other", "text": "There is product data available from source Certbundde", "title": "NCSC Score top increasing factors" }, { "category": "other", "text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd", "title": "NCSC Score top decreasing factors" } ], "product_status": { "known_affected": [ "CSAFPID-5965563", "CSAFPID-5968318", "CSAFPID-5982830" ] }, "references": [ { "category": "external", "summary": "Source - github", "url": "https://api.github.com/advisories/GHSA-5hf2-vhj6-gj9m" }, { "category": "external", "summary": "Source - nvd", "url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33030" }, { "category": "external", "summary": "Source - cveprojectv5", "url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33030.json" }, { "category": "external", "summary": "Source - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0931.json" }, { "category": "external", "summary": "Source - first", "url": "https://api.first.org/data/v1/epss?limit=10000&offset=0" }, { "category": "external", "summary": "Reference - cveprojectv5; github; nvd", "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m" }, { "category": "external", "summary": "Reference - certbundde; github", "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4" }, { "category": "external", "summary": "Reference - certbundde; github", "url": "https://github.com/advisories/GHSA-5hf2-vhj6-gj9m" }, { "category": "external", "summary": "Reference - github", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33030" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0931.json" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0931" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17151" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17152" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17154" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17156" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17158" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17194" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-cp8r-8jvw-v3qg" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-fhh2-gg7w-gwpq" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-h6c2-x2m2-mwhf" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-m468-xcm6-fxg4" }, { "category": "external", "summary": "Reference - certbundde", "url": "https://github.com/advisories/GHSA-m8p8-53vf-8357" } ], "scores": [ { "cvss_v3": { "version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH" }, "products": [ "CSAFPID-5965563", "CSAFPID-5968318", "CSAFPID-5982830" ] } ], "title": "CVE-2026-33030" } ] }