CVE-2026-33028

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4

Description Nginx UI is susceptible to a race condition due to the absence of synchronization mechanisms and non-atomic file writes. Concurrent requests can severely corrupt the primary configuration file (app.ini), leading to a persistent Denial of Service (DoS). This corruption also introduces a potential, though non-deterministic, path to Remote Code Execution (RCE) through configuration cross-contamination. The issue arises because the settings update pipeline lacks synchronization primitives, causing memory and file corruption when multiple requests are processed simultaneously. Specifically, the ProtectedFill() function modifies shared global singleton pointers without thread safety, and the underlying library performs direct, concurrent overwrites to the app.ini file. This can result in incomplete or truncated configuration keys, leading to application failure or a complete service collapse. The vulnerability can be triggered by sending concurrent POST /api/settings requests, potentially corrupting the app.ini file and causing the service to redirect to the installation page or become unresponsive.

Recommendations Versions prior to 2.3.4 should be updated to version 2.3.4 or later.