Platform
nginx
Component
nginx-ui
Fixed in
2.3.4
CVE-2026-33030 describes a critical vulnerability in nginx-UI, a Go-based application. This flaw allows sensitive data, specifically DNS API tokens and ACME private keys, to be stored in an unencrypted format. Successful exploitation could grant attackers unauthorized access to DNS configurations and potentially compromise certificate management. The vulnerability was publicly disclosed on 2026-04-02, and a fix is pending.
The primary impact of CVE-2026-33030 stems from the exposure of sensitive credentials. DNS API tokens, if compromised, could allow an attacker to manipulate DNS records, redirect traffic, or launch phishing attacks. ACME private keys, used for Let's Encrypt certificate issuance, could be leveraged to generate fraudulent certificates for a domain, enabling man-in-the-middle attacks. The blast radius extends to any service relying on the compromised DNS records or certificates. The lack of encryption means that anyone with access to the storage location (e.g., a compromised container, a misconfigured file system) can readily access these credentials.
CVE-2026-33030 is not currently listed on KEV. The EPSS score is pending evaluation. There are no publicly known proof-of-concept exploits available at this time. Given the sensitivity of the exposed data, it is reasonable to assume that this vulnerability will become a target for opportunistic attackers once it gains wider visibility.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
Due to the lack of a provided fixed_in version, immediate mitigation focuses on securing the storage location. Implement strict access controls to the directory where nginx-UI stores its configuration files. Consider encrypting the entire file system or volume where nginx-UI is deployed. Regularly audit the configuration files for any signs of tampering. While not a direct fix, restricting network access to the nginx-UI container can limit the potential attack surface. Monitor system logs for unusual activity, particularly attempts to access or modify configuration files. After applying these controls, verify access restrictions by attempting to read the configuration files from an unauthorized location.
Update Nginx UI to a version later than 2.3.3 once a patched version is released. No patches are currently available, so it is recommended to monitor the Nginx UI repository for future security updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33030 is a HIGH severity vulnerability in nginx-UI that allows DNS API tokens and ACME private keys to be stored without encryption, potentially leading to unauthorized access and control.
You are affected if you are using nginx-UI and have not applied a fix. The vulnerability impacts deployments where sensitive credentials are stored in an unencrypted format.
A patch is pending. Until a fix is released, mitigate the risk by restricting access to the configuration files and encrypting the storage volume.
There are currently no confirmed reports of active exploitation, but the vulnerability's sensitivity makes it a likely target.
Refer to the nginx-UI project's GitHub repository and associated communication channels for updates and advisories regarding this vulnerability.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.