CVE-2026-33026
published 2026-03-30CVE-2026-33026: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with…
PriorityP353critical9.1CVSS 3.1
AVNACLPRHUINSCCHIHAH
EPSS
0.33%
24.5th percentile
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < 2.3.4 | 2.3.4 |
| github.com | 0xjacky_nginx-ui | 0 – 1.9.9 | — |
| nginxui | nginx_ui | < 2.3.4 | 2.3.4 |
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI
osv·2026-04-02
CVE-2026-33026 nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI
nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI
nginx-ui Backup Restore Allows Tampering with Encrypted Backups in github.com/0xJacky/Nginx-UI
GHSA
nginx-ui Backup Restore Allows Tampering with Encrypted Backups
ghsa·2026-03-30
CVE-2026-33026 [CRITICAL] CWE-312 nginx-ui Backup Restore Allows Tampering with Encrypted Backups
nginx-ui Backup Restore Allows Tampering with Encrypted Backups
## Summary
The `nginx-ui` backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.
## Details
The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (`hash_info.txt`) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.
Because the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even wh
OSV
nginx-ui Backup Restore Allows Tampering with Encrypted Backups
osv·2026-03-30
CVE-2026-33026 [CRITICAL] nginx-ui Backup Restore Allows Tampering with Encrypted Backups
nginx-ui Backup Restore Allows Tampering with Encrypted Backups
## Summary
The `nginx-ui` backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.
## Details
The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (`hash_info.txt`) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.
Because the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even wh
No detection rules found.
No public exploits indexed.
Hackernews
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
blogs_hackernews·2026-04-06
⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More
This week had real hits. The key software got tampered with. Active bugs showed up in the tools people use every day. Some attacks didn’t even need much effort because the path was already there.
One weak spot now spreads wider than before. What starts small can reach a lot of systems fast. New bugs, faster use, less time to react.
That’s this week. Read through it.
## ⚡ Threat of the Week
Axios npm Package Compromised by N. Korean Hackers —Threat actors with ties to North Korea seized control of the npm account belonging to the lead m
Wiz
CVE-2026-33029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33029 [CRITICAL] CVE-2026-33029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33029 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Source : NVD
## 6.9
Score
Published March 30, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.7
Exploitation Probability (EPSS) 0
Wiz
CVE-2026-33028 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33028 [CRITICAL] CVE-2026-33028 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33028 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Source : NVD
## 7.1
Score
Published March 30, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
C
Wiz
CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27944 [CRITICAL] CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27944 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
CVE-2026-33027 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33027 [CRITICAL] CVE-2026-33027 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33027 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.
Source : NVD
## 6.9
Score
Published March 30, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Dat
Wiz
CVE-2026-33030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33030 [CRITICAL] CVE-2026-33030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33030 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Source : NVD
## 9.9
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 8.8
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2026-33032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33032 [CRITICAL] CVE-2026-33032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33032 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patc
Wiz
CVE-2026-33026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33026 [CRITICAL] CVE-2026-33026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33026 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
Source : NVD
## 9.4
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:nginxui:nginx_ui
github.com/0xjacky/nginx-ui
Sources
GoLang Severity CRITICAL No Fix Added at: Mar
2026-03-30
Published