{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33026", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.668Z", "datePublished": "2026-03-30T19:26:27.695Z", "dateUpdated": "2026-03-31T14:17:48.298Z"}, "containers": {"cna": {"title": "nginx-ui Backup Restore Allows Tampering with Encrypted Backups", "problemTypes": [{"descriptions": [{"cweId": "CWE-312", "lang": "en", "description": "CWE-312: Cleartext Storage of Sensitive Information", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-347", "lang": "en", "description": "CWE-347: Improper Verification of Cryptographic Signature", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-354", "lang": "en", "description": "CWE-354: Improper Validation of Integrity Check Value", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "baseScore": 9.4, "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "version": "4.0"}}], "references": [{"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq"}, {"name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"version": "< 2.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:26:27.695Z"}, "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4."}], "source": {"advisory": "GHSA-fhh2-gg7w-gwpq", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-31T14:17:44.821264Z", "id": "CVE-2026-33026", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-31T14:17:48.298Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "nginx-ui Backup Restore Allows Tampering with Encrypted Backups", "source": {"advisory": "GHSA-fhh2-gg7w-gwpq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.4, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"status": "affected", "version": "< 2.3.4"}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq", "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-312", "description": "CWE-312: Cleartext Storage of Sensitive Information"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347: Improper Verification of Cryptographic Signature"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-354", "description": "CWE-354: Improper Validation of Integrity Check Value"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T19:26:27.695Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33026", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-31T14:17:44.821264Z"}}}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq", "tags": ["exploit"]}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-31T14:17:33.286Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-33026", "state": "PUBLISHED", "dateUpdated": "2026-03-30T19:26:27.695Z", "dateReserved": "2026-03-17T17:22:14.668Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T19:26:27.695Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAC83E05-2DDE-450D-8718-843174EAB4E1", "versionEndExcluding": "2.3.4", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. Antes de la versi\u00f3n 2.3.4, el mecanismo de restauraci\u00f3n de copias de seguridad de nginx-ui permite a los atacantes manipular archivos de copia de seguridad cifrados e inyectar configuraci\u00f3n maliciosa durante la restauraci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 2.3.4."}], "id": "CVE-2026-33026", "lastModified": "2026-04-01T18:16:43.630", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.4, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T20:16:22.130", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-312"}, {"lang": "en", "value": "CWE-347"}, {"lang": "en", "value": "CWE-354"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nginx-ui", "source": "cna", "vendor": "0xJacky"}, "product": "nginx-ui", "vendor": "0xjacky"}], "analysis": {"en": {"generated_at": "2026-04-02T04:58:08.790502+00:00", "value": {"mitigation_remediation": ["Upgrade nginx\u2011ui to version 2.3.4 or later"], "summary": {"action": "Patch immediately", "impact": "Remote configuration injection that can lead to code execution"}, "threat_synthesis": {"affected_systems": "All installations of nginx\u2011ui with a version earlier than 2.3.4 are affected. No platform or operating system restriction is noted, so any host running the vulnerable web interface, regardless of its underlying OS, may be at risk. The vulnerability is specific to the 0xJacky nginx\u2011ui product and does not extend to other nginx components.", "description_and_impact": "The nginx\u2011ui backup restore function, prior to version 2.3.4, allows an attacker who supplies a backup archive to modify the contents of an encrypted backup and inject malicious configuration directives. When the backup is restored, these directives become part of the nginx configuration, potentially granting unauthorized access or allowing arbitrary commands to run when nginx starts. This vulnerability involves improper handling of encrypted backup data and directly affects configuration integrity.", "risk_and_exploitability": "The flaw carries a CVSS score of 9.4, placing it in the critical range. Its EPSS score is below 1\u202f%, indicating that automated exploitation attempts are currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is via the web UI\u2019s restore endpoint, requiring the attacker to be able to upload a crafted backup file; this infers that the attacker must have some level of interaction with the target system or the ability to deliver a malicious archive to a vulnerable instance."}}}}, "created": "2026-03-30T20:55:08.227490+00:00", "updated": "2026-04-02T07:53:59.107184+00:00", "vendors": ["0xjacky", "0xjacky$PRODUCT$nginx-ui"]}