CVE-2026-33027

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4

Description Nginx UI improperly handles URL-encoded traversal sequences in its configuration, potentially leading to a partial Denial of Service. Specifically, specially crafted paths can cause the backend to resolve to the base Nginx configuration directory (/etc/nginx) and execute operations on it. An authenticated user can exploit this to remove the entire /etc/nginx directory. The issue stems from improper path canonicalization, unsafe fallback logic, and an unsafe deletion primitive that recursively removes directories without sufficient safeguards. The vulnerability is triggered by traversal sequences like ..%252F that bypass initial filters and cause the clamping mechanism to resolve paths to the base configuration directory. The deletion handler then uses os.RemoveAll to recursively delete the resolved path.

Recommendations Update to Nginx UI version 2.3.4 or later.