CVE-2026-33026
Received Received - Intake
Backup Restore Tampering Vulnerability in Nginx UI Before

Publication date: 2026-03-30

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33026
EUVD
EUVD-2026-17194
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-347 The product does not verify, or incorrectly verifies, the cryptographic signature for data.
CWE-312 The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere.
CWE-354 The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-33026 vulnerability affects nginx-ui versions up to 2.3.3 and involves the backup restore mechanism. Attackers can tamper with encrypted backup archives and inject malicious configurations during restoration due to a flawed cryptographic design.

The backup files are encrypted using AES-256-CBC and include integrity metadata (hashes) that are also encrypted with the same key. The encryption key and initialization vector (IV) are provided to the client as a backup security token, creating a circular trust model.

Because the restore process trusts the hashes contained within the backup itself and does not strictly enforce integrity verification, an attacker who obtains the backup token can decrypt, modify, re-encrypt the backup files, recompute valid hashes, and restore malicious configurations.

This can lead to injection of malicious commands, persistent tampering of application configuration, and potentially arbitrary command execution on the host running nginx-ui.

Impact Analysis

This vulnerability can lead to a full compromise of the nginx-ui instance if an attacker gains access to the backup security token.

  • Persistent tampering of application configuration.
  • Insertion of backdoors into nginx configuration.
  • Execution of attacker-controlled commands on the host system.
  • Potential full system compromise depending on deployment and restore permissions.
Detection Guidance

Detection of this vulnerability involves identifying if your nginx-ui instance is running a vulnerable version (up to 2.3.3) and if the backup restore mechanism is being used or accessed.

You can check the nginx-ui version by running a command inside the deployment environment, for example:

  • docker exec -it <nginx-ui-container> nginx-ui --version

To detect potential exploitation or tampering, monitor network traffic for backup security tokens (keys and IVs) being transmitted, as these are required to manipulate backups.

You can use network capture tools like tcpdump or Wireshark to filter HTTP headers or files containing the backup security token, for example:

  • tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'backup-security-token'

Additionally, inspect backup archives (nginx-ui.zip) and their contents for unauthorized modifications by decrypting them with the backup security token and verifying the integrity of configuration files.

Since the vulnerability involves tampering with encrypted backups, you can attempt to decrypt and inspect backup files if you have the token, using OpenSSL commands like:

  • openssl enc -d -aes-256-cbc -in nginx-ui.zip -out decrypted.zip -K <key> -iv <iv>
  • Then verify if configuration files such as app.ini have unexpected or malicious entries (e.g., StartCmd = bash).
Mitigation Strategies

The primary immediate mitigation is to upgrade nginx-ui to version 2.3.4 or later, where this vulnerability has been patched.

Until you can upgrade, restrict access to the backup restore mechanism and the backup security tokens to trusted administrators only, as possession of these tokens enables exploitation.

Avoid sharing or exposing backup security tokens in HTTP headers or files accessible to untrusted users.

Implement network-level controls to limit access to the nginx-ui interface, especially the restore functionality.

Monitor and audit backup restore operations for suspicious activity or unexpected configuration changes.

Consider disabling the restore feature temporarily if possible until a secure upgrade is applied.

Compliance Impact

The vulnerability in nginx-ui's backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configurations, potentially leading to full compromise of the nginx-ui instance. This can result in unauthorized access, data manipulation, and execution of attacker-controlled commands.

Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and system security to protect sensitive information.

Specifically, the ability to alter backup data and configurations undermines data integrity and confidentiality, increasing the risk of data breaches and unauthorized data exposure, which are critical compliance concerns under these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart