Improper validation of integrity check value in nginx-ui - CVE-2026-33026
Published: April 23, 2026
Vulnerability identifier: #VU126939
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-33026
CWE-ID: CWE-354
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Nginx UI
Affected software:
nginx-ui
nginx-ui
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary commands on the host.
The vulnerability exists due to improper validation of integrity check values in the backup restore mechanism when processing a tampered encrypted backup archive. A remote privileged user can upload a crafted backup and inject malicious configuration to execute arbitrary commands on the host.
Exploitation requires access to the backup security token so the backup contents and integrity metadata can be modified and re-encrypted.
How to mitigate CVE-2026-33026
Install security update from vendor's website.