# CVE-2026-34403

> Vulnerability · severity: **HIGH** (CVSS 8.1).

## Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.5, all WebSocket endpoints in nginx-ui use a gorilla/websocket Upgrader with CheckOrigin unconditionally returning true, allowing Cross-Site WebSocket Hijacking (CSWSH). Combined with the fact that authentication tokens are stored in browser cookies (set via JavaScript without HttpOnly or explicit SameSite attributes), a malicious webpage can establish authenticated WebSocket connections to the nginx-ui instance when a logged-in administrator visits the attacker-controlled page. Version 2.3.5 patches the issue.

## Key facts

- **CVE ID:** CVE-2026-34403
- **Published:** 2026-04-20
- **CVSS severity:** HIGH
- **CVSS base score:** 8.1
- **CWE codes:** CWE-1385

## Affected products

- `nginxui:nginx_ui`

## Primary sources

- NIST NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-34403

## Citation

> AI Analytics. CVE-2026-34403. Retrieved 2026-07-12 from https://api.ai-analytics.org/cve/CVE-2026-34403. Derived from NIST NVD. Licensed CC0.

---

*[Dataset catalog](https://api.ai-analytics.org/datasets/) · [AI Analytics](https://api.ai-analytics.org/) · CC0 1.0*