SB2026042136 - Multiple vulnerabilities in nginx-ui
Published: April 21, 2026 Updated: April 23, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 6 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2026-33031)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Green
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A remote user who was disabled by an administrator can continue reading and modifying protected resources.
2) Path traversal (CVE-ID: CVE-2026-33027)
CWE-ID: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to path traversal in the configuration deletion handler when processing specially crafted URL-encoded traversal paths. A remote privileged user can send a specially crafted deletion request to cause a denial of service.
The issue can cause recursive deletion of the entire Nginx configuration directory because the resolved path is passed to os.RemoveAll.
3) Improper validation of integrity check value (CVE-ID: CVE-2026-33026)
CWE-ID: CWE-354 - Improper Validation of Integrity Check Value
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to execute arbitrary commands on the host.
The vulnerability exists due to improper validation of integrity check values in the backup restore mechanism when processing a tampered encrypted backup archive. A remote privileged user can upload a crafted backup and inject malicious configuration to execute arbitrary commands on the host.
Exploitation requires access to the backup security token so the backup contents and integrity metadata can be modified and re-encrypted.
4) Race condition (CVE-ID: CVE-2026-33028)
CWE-ID: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause persistent data corruption and a denial of service.
The vulnerability exists due to a race condition in the settings update pipeline when handling concurrent settings update requests. A remote privileged user can send concurrent crafted POST requests to /api/settings to cause persistent data corruption and a denial of service.
The issue can also cause cross-section contamination in app.ini, which may create a non-deterministic path to command execution if user-controlled values are written into command fields.
5) Input validation error (CVE-ID: CVE-2026-33029)
CWE-ID: CWE-20 - Improper input validation
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to cause a denial of service.
The vulnerability exists due to improper input validation in the POST /api/settings endpoint when processing the logrotate.interval field. A remote privileged user can send a specially crafted request with a negative integer value to cause a denial of service.
The issue can cause the backend to enter an infinite loop or invalid state, rendering the web interface unresponsive.
6) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-33030)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to access, modify, and delete other users' resources.
The vulnerability exists due to authorization bypass through user-controlled key in resource endpoints when handling requests for resources by ID without verifying user ownership. A local user can enumerate and request another user's resource identifier to access, modify, and delete other users' resources.
In multi-user environments, exposed resources may include plaintext DNS API tokens and ACME private keys.
Remediation
Install update from vendor's website.
References
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-x234-x5vq-cc2v
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m8p8-53vf-8357
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq
- https://github.com/advisories/GHSA-fhh2-gg7w-gwpq
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4
- https://github.com/advisories/GHSA-m468-xcm6-fxg4
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-cp8r-8jvw-v3qg
- https://github.com/advisories/GHSA-cp8r-8jvw-v3qg
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-5hf2-vhj6-gj9m