CVE-2026-33027
Received Received - Intake
Path Traversal in Nginx-UI Allows Config Directory Deletion

Publication date: 2026-03-30

Last updated on: 2026-04-01

Assigner: GitHub, Inc.

Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-30
Last Modified
2026-04-01
Generated
2026-06-16
AI Q&A
2026-03-30
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33027
EUVD
EUVD-2026-17151
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-33027 vulnerability affects nginx-ui versions up to 2.3.3 and involves improper handling of URL-encoded traversal sequences in the configuration paths.

Specifically, the backend does not correctly reject double-encoded traversal sequences like "..%252F", allowing an authenticated user with high privileges to bypass path filters.

When such specially crafted paths are supplied, the system's path normalization logic fails and resolves the path to the base Nginx configuration directory (/etc/nginx).

This leads to the deletion handler recursively deleting the entire /etc/nginx directory, causing a partial Denial of Service by removing all Nginx configurations managed by nginx-ui.

Compliance Impact

The vulnerability in nginx-ui allows an authenticated user with high privileges to delete the entire Nginx configuration directory, causing a partial Denial of Service by disrupting availability of web services relying on the affected Nginx instance.

While the vulnerability impacts availability, it does not affect confidentiality or integrity of data, as there is no indication of data leakage or unauthorized data modification.

Therefore, the primary compliance impact would be related to availability requirements under standards like GDPR and HIPAA, which mandate ensuring availability of systems and services that process personal or protected health information.

Disruption of service due to this vulnerability could potentially lead to non-compliance with such availability requirements, especially if the affected Nginx instance is critical for handling regulated data.

Impact Analysis

Exploitation of this vulnerability allows an authenticated user with high privileges to delete the entire Nginx configuration directory (/etc/nginx).

This results in immediate failure of the Nginx service and denial of service for all web services relying on the affected Nginx instance.

Recovery requires manual restoration of all configuration files, causing potential downtime and operational disruption.

Detection Guidance

This vulnerability involves improper handling of URL-encoded traversal sequences in nginx-ui versions up to 2.3.3, allowing recursive deletion of the /etc/nginx directory by an authenticated user with high privileges.

To detect potential exploitation attempts on your system or network, monitor for requests containing double-encoded traversal sequences such as "..%252F" in URLs targeting nginx-ui endpoints.

Suggested commands to detect suspicious activity include:

  • Using grep to search nginx-ui access logs for double-encoded traversal sequences: grep -i '%252F' /var/log/nginx-ui/access.log
  • Using network monitoring tools like tcpdump or Wireshark to filter HTTP requests containing suspicious URL-encoded traversal patterns.
  • Checking for unexpected deletions or modifications in the /etc/nginx directory by reviewing filesystem audit logs or using commands like: sudo auditctl -w /etc/nginx -p wa
Mitigation Strategies

The primary mitigation step is to upgrade nginx-ui to version 2.3.4 or later, where this vulnerability has been patched.

Additionally, restrict access to nginx-ui to only trusted and authenticated users with high privileges, as exploitation requires authentication.

Implement monitoring and alerting for suspicious URL-encoded traversal sequences in requests to nginx-ui.

Regularly back up the /etc/nginx configuration directory to enable quick restoration in case of deletion.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33027. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart