CVE-2026-33026
Backup Restore Tampering Vulnerability in Nginx UI Before
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | to 2.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
| CWE-354 | The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-33026 vulnerability affects nginx-ui versions up to 2.3.3 and involves the backup restore mechanism. Attackers can tamper with encrypted backup archives and inject malicious configurations during restoration due to a flawed cryptographic design.
The backup files are encrypted using AES-256-CBC and include integrity metadata (hashes) that are also encrypted with the same key. The encryption key and initialization vector (IV) are provided to the client as a backup security token, creating a circular trust model.
Because the restore process trusts the hashes contained within the backup itself and does not strictly enforce integrity verification, an attacker who obtains the backup token can decrypt, modify, re-encrypt the backup files, recompute valid hashes, and restore malicious configurations.
This can lead to injection of malicious commands, persistent tampering of application configuration, and potentially arbitrary command execution on the host running nginx-ui.
How can this vulnerability impact me? :
This vulnerability can lead to a full compromise of the nginx-ui instance if an attacker gains access to the backup security token.
- Persistent tampering of application configuration.
- Insertion of backdoors into nginx configuration.
- Execution of attacker-controlled commands on the host system.
- Potential full system compromise depending on deployment and restore permissions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your nginx-ui instance is running a vulnerable version (up to 2.3.3) and if the backup restore mechanism is being used or accessed.
You can check the nginx-ui version by running a command inside the deployment environment, for example:
- docker exec -it <nginx-ui-container> nginx-ui --version
To detect potential exploitation or tampering, monitor network traffic for backup security tokens (keys and IVs) being transmitted, as these are required to manipulate backups.
You can use network capture tools like tcpdump or Wireshark to filter HTTP headers or files containing the backup security token, for example:
- tcpdump -i <interface> -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'backup-security-token'
Additionally, inspect backup archives (nginx-ui.zip) and their contents for unauthorized modifications by decrypting them with the backup security token and verifying the integrity of configuration files.
Since the vulnerability involves tampering with encrypted backups, you can attempt to decrypt and inspect backup files if you have the token, using OpenSSL commands like:
- openssl enc -d -aes-256-cbc -in nginx-ui.zip -out decrypted.zip -K <key> -iv <iv>
- Then verify if configuration files such as app.ini have unexpected or malicious entries (e.g., StartCmd = bash).
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation is to upgrade nginx-ui to version 2.3.4 or later, where this vulnerability has been patched.
Until you can upgrade, restrict access to the backup restore mechanism and the backup security tokens to trusted administrators only, as possession of these tokens enables exploitation.
Avoid sharing or exposing backup security tokens in HTTP headers or files accessible to untrusted users.
Implement network-level controls to limit access to the nginx-ui interface, especially the restore functionality.
Monitor and audit backup restore operations for suspicious activity or unexpected configuration changes.
Consider disabling the restore feature temporarily if possible until a secure upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in nginx-ui's backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configurations, potentially leading to full compromise of the nginx-ui instance. This can result in unauthorized access, data manipulation, and execution of attacker-controlled commands.
Such a compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data integrity, confidentiality, and system security to protect sensitive information.
Specifically, the ability to alter backup data and configurations undermines data integrity and confidentiality, increasing the risk of data breaches and unauthorized data exposure, which are critical compliance concerns under these regulations.