CVE-2026-33030
published 2026-03-30CVE-2026-33030: Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR)…
PriorityP263critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
EPSS
0.28%
19.7th percentile
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | <= 2.3.3 | — |
| github.com | 0xjacky_nginx-ui | 0 – 1.99 | — |
| nginxui | nginx_ui | <= 2.3.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →All resource endpoints in Nginx UI perform queries by ID without verifying user ownership — monitor for authenticated users accessing, modifying, or deleting resource IDs that do not belong to their account (cross-user ID enumeration pattern) ↗
- →The application's base Model struct lacks a user_id field; absence of user_id ownership checks in database queries is the root structural indicator of the IDOR condition ↗
- ·No patch is available for CVE-2026-33030 as of publication; affected versions are 2.3.3 and prior with no fix released ↗
- ·The vulnerability affects multi-user Nginx UI deployments; single-user deployments have reduced exposure but the authorization bypass is still present in the codebase ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui
osv·2026-04-02
CVE-2026-33030 nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys in github.com/0xJacky/nginx-ui
OSV
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
osv·2026-03-30
CVE-2026-33030 [HIGH] nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
## Summary
Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base `Model` struct lacks a `user_id` field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.
## Severity
**High** - CVSS 3.1 Score: **8.8 (High)**
Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
**Note**: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immedia
GHSA
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
ghsa·2026-03-30
CVE-2026-33030 [HIGH] CWE-639 nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
nginx-UI has Unencrypted Storage of DNS API Tokens and ACME Private Keys
## Summary
Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base `Model` struct lacks a `user_id` field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments.
## Severity
**High** - CVSS 3.1 Score: **8.8 (High)**
Vector String: `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H`
**Note**: Original score was 7.5. The score was updated to 8.8 after discovering that sensitive data (DNS API tokens, ACME private keys) is stored in plaintext, which when combined with IDOR allows immedia
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33029 [CRITICAL] CVE-2026-33029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33029 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Source : NVD
## 6.9
Score
Published March 30, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.7
Exploitation Probability (EPSS) 0
Wiz
CVE-2026-33028 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33028 [CRITICAL] CVE-2026-33028 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33028 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Source : NVD
## 7.1
Score
Published March 30, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
C
Wiz
CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27944 [CRITICAL] CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27944 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
CVE-2026-33027 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33027 [CRITICAL] CVE-2026-33027 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33027 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.
Source : NVD
## 6.9
Score
Published March 30, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Dat
Wiz
CVE-2026-33030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33030 [CRITICAL] CVE-2026-33030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33030 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Source : NVD
## 9.9
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 8.8
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2026-33032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33032 [CRITICAL] CVE-2026-33032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33032 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patc
Wiz
CVE-2026-33026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33026 [CRITICAL] CVE-2026-33026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33026 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
Source : NVD
## 9.4
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:nginxui:nginx_ui
github.com/0xjacky/nginx-ui
Sources
GoLang Severity CRITICAL No Fix Added at: Mar
2026-03-30
Published