CVE-2026-33026
Published: 30 March 2026
Summary
CVE-2026-33026 is a critical-severity Cleartext Storage of Sensitive Information (CWE-312) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires monitoring and verification of the integrity of encrypted backup archives before restoration to prevent injection of malicious Nginx configurations.
Implements cryptographic protections with proper signature verification to mitigate tampering of encrypted backup archives as described in associated CWEs 312, 347, and 354.
Validates the backup archive input to the Nginx UI restore mechanism, blocking tampered files that could inject malicious configurations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing Nginx UI backup/restore (improper signature verification + cleartext issues) directly enables remote exploitation of the app (T1190) by an authenticated admin; tampered restore injects malicious config yielding scope change to full host compromise, mapping to exploitation for privilege escalation (T1068).
NVD Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched…
more
in version 2.3.4.
Deeper analysisAI
CVE-2026-33026 affects Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.4. The vulnerability resides in the backup restore mechanism, which permits attackers to tamper with encrypted backup archives and inject malicious configuration during the restoration process. This flaw is associated with CWEs 312 (Cleartext Storage of Sensitive Information), 347 (Improper Verification of Cryptographic Signature), and 354 (Incorrect Conversion between Representations), and carries a CVSS v3.1 base score of 9.1.
Exploitation requires high privileges (PR:H), such as administrative access to the Nginx UI, and can be performed over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful attacks alter encrypted backups to inject malicious Nginx configurations upon restoration, resulting in high impacts across confidentiality, integrity, and availability (C:H/I:H/A:H) with changed scope (S:C), potentially leading to full system compromise.
The issue has been addressed in Nginx UI version 2.3.4, as detailed in the project's GitHub release notes and security advisory (GHSA-fhh2-gg7w-gwpq). Security practitioners should upgrade to the patched version to mitigate the risk and review any restored backups from untrusted sources.
Details
- CWE(s)