CVE-2026-33027
Path Traversal in Nginx-UI Allows Config Directory Deletion
Publication date: 2026-03-30
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | to 2.3.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
| CWE-73 | The product allows user input to control or influence paths or file names that are used in filesystem operations. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The CVE-2026-33027 vulnerability affects nginx-ui versions up to 2.3.3 and involves improper handling of URL-encoded traversal sequences in the configuration paths.
Specifically, the backend does not correctly reject double-encoded traversal sequences like "..%252F", allowing an authenticated user with high privileges to bypass path filters.
When such specially crafted paths are supplied, the system's path normalization logic fails and resolves the path to the base Nginx configuration directory (/etc/nginx).
This leads to the deletion handler recursively deleting the entire /etc/nginx directory, causing a partial Denial of Service by removing all Nginx configurations managed by nginx-ui.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows an authenticated user with high privileges to delete the entire Nginx configuration directory (/etc/nginx).
This results in immediate failure of the Nginx service and denial of service for all web services relying on the affected Nginx instance.
Recovery requires manual restoration of all configuration files, causing potential downtime and operational disruption.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper handling of URL-encoded traversal sequences in nginx-ui versions up to 2.3.3, allowing recursive deletion of the /etc/nginx directory by an authenticated user with high privileges.
To detect potential exploitation attempts on your system or network, monitor for requests containing double-encoded traversal sequences such as "..%252F" in URLs targeting nginx-ui endpoints.
Suggested commands to detect suspicious activity include:
- Using grep to search nginx-ui access logs for double-encoded traversal sequences: grep -i '%252F' /var/log/nginx-ui/access.log
- Using network monitoring tools like tcpdump or Wireshark to filter HTTP requests containing suspicious URL-encoded traversal patterns.
- Checking for unexpected deletions or modifications in the /etc/nginx directory by reviewing filesystem audit logs or using commands like: sudo auditctl -w /etc/nginx -p wa
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade nginx-ui to version 2.3.4 or later, where this vulnerability has been patched.
Additionally, restrict access to nginx-ui to only trusted and authenticated users with high privileges, as exploitation requires authentication.
Implement monitoring and alerting for suspicious URL-encoded traversal sequences in requests to nginx-ui.
Regularly back up the /etc/nginx configuration directory to enable quick restoration in case of deletion.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in nginx-ui allows an authenticated user with high privileges to delete the entire Nginx configuration directory, causing a partial Denial of Service by disrupting availability of web services relying on the affected Nginx instance.
While the vulnerability impacts availability, it does not affect confidentiality or integrity of data, as there is no indication of data leakage or unauthorized data modification.
Therefore, the primary compliance impact would be related to availability requirements under standards like GDPR and HIPAA, which mandate ensuring availability of systems and services that process personal or protected health information.
Disruption of service due to this vulnerability could potentially lead to non-compliance with such availability requirements, especially if the affected Nginx instance is critical for handling regulated data.