{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33028", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.669Z", "datePublished": "2026-03-30T17:59:19.393Z", "dateUpdated": "2026-03-30T20:15:26.098Z"}, "containers": {"cna": {"title": "Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"}, {"name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"version": "< 2.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:59:19.393Z"}, "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."}], "source": {"advisory": "GHSA-m468-xcm6-fxg4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T20:15:12.763884Z", "id": "CVE-2026-33028", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:15:26.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33028", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T20:15:12.763884Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:15:20.787Z"}}], "cna": {"title": "Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse", "source": {"advisory": "GHSA-m468-xcm6-fxg4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"status": "affected", "version": "< 2.3.4"}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4", "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:59:19.393Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33028", "state": "PUBLISHED", "dateUpdated": "2026-03-30T20:15:26.098Z", "dateReserved": "2026-03-17T17:22:14.669Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T17:59:19.393Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAC83E05-2DDE-450D-8718-843174EAB4E1", "versionEndExcluding": "2.3.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:uozi:cosy:*:*:*:*:*:go:*:*", "matchCriteriaId": "05EA43ED-701D-4489-B576-21AF6CD2E5DE", "versionEndExcluding": "1.30.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. Antes de la versi\u00f3n 2.3.4, la aplicaci\u00f3n nginx-ui es vulnerable a una condici\u00f3n de carrera. Debido a la ausencia completa de mecanismos de sincronizaci\u00f3n (Mutex) y escrituras de archivos no at\u00f3micas, las solicitudes concurrentes llevan a la corrupci\u00f3n severa del archivo de configuraci\u00f3n principal (app.ini). Esta vulnerabilidad resulta en una denegaci\u00f3n de servicio (DoS) persistente y introduce una ruta no determinista para la ejecuci\u00f3n remota de c\u00f3digo (RCE) a trav\u00e9s de la contaminaci\u00f3n cruzada de la configuraci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 2.3.4."}], "id": "CVE-2026-33028", "lastModified": "2026-04-01T18:45:46.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T18:16:18.947", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nginx-ui", "source": "cna", "vendor": "0xJacky"}, "product": "nginx-ui", "vendor": "0xjacky"}], "analysis": {"en": {"generated_at": "2026-04-02T04:04:36.838426+00:00", "value": {"mitigation_remediation": ["Apply the vendor patch to Nginx UI version 2.3.4 or later immediately.", "Verify that no instance of Nginx UI older than 2.3.4 remains in production and decommission or upgrade any affected deployments.", "Validate that the app.ini file remains consistent after updating and that no unintended configuration changes persist.", "If upgrade cannot be performed right away, consider blocking concurrent modifications by restricting write access to the app.ini file or limiting simultaneous UI sessions through application or network controls, and monitor logs for signs of configuration corruption."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Nginx UI application released by 0xJacky, specifically all versions prior to 2.3.4. The patch that resolves the race condition is included in version 2.3.4 and newer releases. No other vendors or products are explicitly listed as affected in the advisory.", "description_and_impact": "Nginx UI is a web user interface for the Nginx web server, and a race condition in the application allows concurrent requests to corrupt the core configuration file, app.ini. The absence of a mutex and non\u2011atomic file writes causes persistent denial of service and opens a non\u2011deterministic path for remote code execution via configuration cross\u2011contamination. Attackers could trigger the race by sending simultaneous requests, resulting in service collapse and elevated privileges if the corrupted configuration is leveraged.", "risk_and_exploitability": "The CVSS base score of 7.1 reflects a high severity incident. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Nonetheless, the attack vector is remote: external clients can access the web UI, and concurrent HTTP requests can trigger the race condition, making the vulnerability exploitable from a remote location and potentially allowing attackers to gain disruptive or higher level control over the host."}}}}, "created": "2026-03-30T20:55:19.637871+00:00", "updated": "2026-04-02T07:54:08.780200+00:00", "vendors": ["0xjacky", "0xjacky$PRODUCT$nginx-ui"]}