Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.
High - CVSS 3.1 Score: 8.8 (High)
Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Note: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immediate credential theft without decryption.
nginx-ui
All versions up to and including v2.3.3
CWE-639: Authorization Bypass Through User-Controlled Key
The dns.Config structure (internal/cert/dns/config_env.go) contains API credentials:
type Configuration struct {
Credentials map[string]string `json:"credentials"` // API tokens here
Additional map[string]string `json:"additional"`
}
| Provider | Credential Fields | Impact if Leaked |
|----------|------------------|------------------|
| Cloudflare | CF_API_TOKEN | Full DNS zone control |
| Alibaba Cloud DNS | ALICLOUD_ACCESS_KEY, ALICLOUD_SECRET_KEY | Full DNS control + potential IAM access |
| Tencent Cloud DNS | TENCENTCLOUD_SECRET_ID, TENCENTCLOUD_SECRET_KEY | Full DNS control |
| AWS Route53 | AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY | Route53 + potential AWS access |
| GoDaddy | GODADDY_API_KEY, GODADDY_API_SECRET | DNS record modification |
When the IDOR vulnerability is combined with plaintext storage, attackers can directly extract API tokens from other users' resources:
Attack Chain:...
Exploitability
AV:LAC:LPR:LUI:NScope
S:CImpact
C:HI:HA:H8.8/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H