Plattform
nginx
Komponente
nginx-ui
Behoben in
2.3.4
CVE-2026-33030 affects the nginx-UI project, a web UI for managing Nginx configurations. This vulnerability stems from the insecure storage of sensitive data, specifically DNS API tokens and ACME private keys, in an unencrypted format. Successful exploitation could allow an attacker to manipulate DNS records, potentially leading to website redirection, phishing attacks, or denial of service. The vulnerability was published on 2026-04-02, and a fixed version is currently unavailable.
The primary impact of CVE-2026-33030 lies in the exposure of sensitive credentials. DNS API tokens, if compromised, grant an attacker the ability to modify DNS records associated with the affected domain. This could be leveraged to redirect traffic to malicious websites (DNS hijacking), intercept email communications, or disrupt service availability. ACME private keys, used for Let's Encrypt certificate management, could allow an attacker to issue fraudulent SSL/TLS certificates, enabling man-in-the-middle attacks and further compromising the integrity of the web application. The blast radius extends beyond the immediate nginx-UI instance, potentially impacting all services relying on the affected DNS infrastructure. The lack of encryption means that any user with access to the server's file system or container storage could easily discover these credentials.
CVE-2026-33030 is currently not listed on KEV or EPSS, indicating a low to medium probability of active exploitation. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's nature makes it a likely target for opportunistic attackers. The NVD and CISA have not yet published advisories related to this CVE. Given the sensitivity of the exposed data (DNS tokens and ACME keys), it is prudent to assume that this vulnerability could be exploited in the near future.
Organizations deploying nginx-UI in production environments, particularly those relying on automated DNS management or Let's Encrypt certificates, are at significant risk. Shared hosting environments where multiple users share the same server resources are especially vulnerable, as a compromise of one user's nginx-UI instance could expose the credentials of others.
• linux / server:
find /var/lib/nginx-ui/ -name '*.conf' -print0 | xargs -0 grep -i 'dns_api_token' # Check for unencrypted tokens
find /var/lib/nginx-ui/ -name '*.key' -print0 | xargs -0 grep -i 'acme_private_key' # Check for unencrypted keys• generic web:
curl -I http://<nginx-ui-host>/config.json # Check for exposed configuration filedisclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
Given that a fixed version of nginx-UI is not yet available, immediate mitigation strategies are crucial. First, restrict access to the nginx-UI configuration files and storage locations. Implement strict file system permissions, limiting access to authorized users only. Consider using a Web Application Firewall (WAF) or reverse proxy to inspect traffic and potentially block requests attempting to access sensitive configuration data. If possible, rotate existing DNS API tokens and ACME private keys to invalidate any potentially compromised credentials. Monitor system logs for any unusual activity or unauthorized access attempts. Regularly scan the server for vulnerabilities and misconfigurations. Once a patched version of nginx-UI is released, upgrade immediately and verify that the sensitive data is now stored securely, preferably using encryption at rest.
Actualice Nginx UI a la versión 2.3.4 o superior para mitigar la vulnerabilidad IDOR. Esta actualización aborda la falta de verificación de la propiedad del usuario en los puntos finales de los recursos, previniendo el acceso no autorizado a los datos.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-33030 is a HIGH severity vulnerability in nginx-UI that allows DNS API tokens and ACME private keys to be stored without encryption, potentially leading to unauthorized access and control.
You are affected if you are using nginx-UI and have not applied a fix. The vulnerability impacts deployments where sensitive credentials are stored in an unencrypted format.
A patch is pending. Until a fix is released, mitigate the risk by restricting access to the configuration files and encrypting the storage volume.
There are currently no confirmed reports of active exploitation, but the vulnerability's sensitivity makes it a likely target.
Refer to the nginx-UI project's GitHub repository and associated communication channels for updates and advisories regarding this vulnerability.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.