Platform
go
Component
github.com/0xjacky/nginx-ui
Fixed in
2.3.5
1.9.10
CVE-2026-33026 describes a critical vulnerability in the Nginx-UI project, specifically concerning its backup and restore functionality. An attacker can tamper with encrypted backups, potentially leading to unauthorized access and system compromise. This vulnerability affects versions of Nginx-UI prior to 2.3.4, and a patch has been released to address the issue.
The vulnerability lies in the way Nginx-UI handles encrypted backups. An attacker who gains access to the backup files can modify them without detection, effectively corrupting the backup data. This could allow an attacker to restore a malicious configuration, inject backdoors, or steal sensitive data stored within the Nginx-UI environment. The impact is significant as it directly compromises the integrity of backup and recovery procedures, a critical component of disaster recovery and security posture. Successful exploitation could lead to complete system takeover and data exfiltration.
CVE-2026-33026 was publicly disclosed on 2026-04-02. As of this date, there are no publicly available proof-of-concept exploits. The EPSS score is likely to be medium, given the critical severity and the lack of public exploits, suggesting a moderate probability of exploitation. This vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.01% (2% percentile)
CISA SSVC
The primary mitigation is to immediately upgrade Nginx-UI to version 2.3.4 or later. This version includes a fix that addresses the backup tampering vulnerability. If upgrading is not immediately feasible, consider restricting access to the backup directory to authorized personnel only. Implement strict file integrity monitoring on the backup files to detect any unauthorized modifications. While a WAF or proxy cannot directly prevent this vulnerability, they can be configured to monitor for suspicious activity related to backup operations.
Update nginx-ui to version 2.3.4 or later. This version addresses the vulnerability that allows tampering with encrypted backups and the injection of malicious configurations during restoration.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33026 is a critical vulnerability in Nginx-UI versions before 2.3.4 that allows attackers to tamper with encrypted backups, potentially leading to unauthorized access and system compromise.
You are affected if you are using Nginx-UI versions prior to 2.3.4. Upgrade to the latest version to mitigate the risk.
Upgrade Nginx-UI to version 2.3.4 or later. This version includes a fix that addresses the backup tampering vulnerability.
As of the current date, there are no publicly available proof-of-concept exploits, but the critical severity warrants immediate attention.
Refer to the official Nginx-UI project repository and release notes for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.