CVE-2026-33028
Published: 30 March 2026
Summary
CVE-2026-33028 is a high-severity Race Condition (CWE-362) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SI-7 (Software, Firmware, and Information Integrity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the race condition vulnerability by identifying, prioritizing, and applying the vendor patch in Nginx UI version 2.3.4 to eliminate file corruption risks.
Performs integrity checks on critical files like app.ini to detect unauthorized modifications or corruption resulting from concurrent non-atomic writes.
Restricts access to configuration change mechanisms in the Nginx UI to authorized roles, preventing low-privilege users from sending concurrent requests that trigger the race condition.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public-facing Nginx UI web app directly enables T1190 exploitation; concurrent unauthenticated-style requests corrupt stored config (T1565.001) producing application DoS via T1499.004; non-deterministic RCE path noted but too vague for additional mappings.
NVD Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests…
more
lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Deeper analysisAI
Nginx UI, a web user interface for the Nginx web server, contains a race condition vulnerability (CVE-2026-33028, CWE-362) in versions prior to 2.3.4. The issue stems from the complete absence of synchronization mechanisms, such as mutexes, combined with non-atomic file writes to the primary configuration file (app.ini). Concurrent requests to the application trigger severe corruption of this file, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H).
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over the network (AV:N) by sending concurrent requests, though it requires high attack complexity (AC:H) and no user interaction (UI:N). Successful exploitation leads to persistent denial of service (DoS) due to the corrupted configuration file, rendering the application inoperable. Additionally, it opens a non-deterministic path to remote code execution (RCE) through configuration cross-contamination.
The vulnerability has been addressed in Nginx UI version 2.3.4, as detailed in the project's release notes and GitHub security advisory (GHSA-m468-xcm6-fxg4). Security practitioners should upgrade to the patched version to mitigate the risk of file corruption and potential escalation to RCE.
Details
- CWE(s)