CVE-2026-33026

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.4

Description Nginx UI, a web user interface for the Nginx web server, contains a flaw in its backup restore mechanism. Prior to version 2.3.4, attackers can manipulate encrypted backup archives and inject malicious configuration during the restoration process. The backup format lacks a trusted integrity root, relying on encryption keys provided to the client for both encryption and integrity verification. This creates a circular trust model where attackers can decrypt, modify, re-hash, and re-encrypt backups, effectively bypassing integrity checks. Successful exploitation could lead to persistent configuration tampering, backdoor insertion, and potentially arbitrary command execution on the host system. The issue stems from a cryptographic design weakness that remained exploitable even after a previous fix addressing unauthorized access to backup files. The vulnerability is related to the following files: backup crypto.go, backup.go, restore.go, and SystemRestoreContent.vue.

Recommendations Update Nginx UI to version 2.3.4 or later.