CVE-2026-33026: Remote Code Execution via Cryptographic Design Flaw in Nginx UI Backup Mechanism
Vulnerability ID: CVE-2026-33026
CVSS Score: 9.1
Published: 2026-03-30
Nginx UI prior to version 2.3.4 contains a critical cryptographic design flaw in its backup and restore mechanism. The application relies on a circular trust model where backup integrity is protected by user-controlled encryption keys, allowing an attacker to forge backup archives and achieve Remote Code Execution upon restoration.
TL;DR
A circular trust vulnerability in Nginx UI's backup system allows authenticated attackers to tamper with configuration backups. Restoring a forged backup leads to arbitrary command execution on the host system. Upgrade to v2.3.4 immediately.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-347
- Attack Vector: Network
- CVSS Score: 9.1 (Critical)
- EPSS Score: 0.00021 (5.51%)
- Impact: Remote Code Execution (RCE)
- Exploit Status: Proof-of-Concept
- KEV Status: Not Listed
Affected Systems
- Nginx UI versions prior to v2.3.4
-
Nginx UI: < 2.3.4 (Fixed in:
2.3.4)
Exploit Details
- GitHub Advisory: Public Proof of Concept mentioned in the security advisory.
Mitigation Strategies
- Upgrade Nginx UI to version 2.3.4 or later
- Restrict administrative access to Nginx UI interfaces via ACLs
- Monitor server logs for unexpected process spawns post-backup-restoration
Remediation Steps:
- Download the latest Nginx UI binary (v2.3.4+).
- Replace the existing executable with the patched version.
- Restart the Nginx UI service.
- Verify the version number in the web interface or application manifest.
References
Read the full report for CVE-2026-33026 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)