Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
Published: 2026-03-30
Score: 9.4 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote configuration injection that can lead to code execution
Action: Patch immediately
AI Analysis

Impact

The nginx‑ui backup restore function, prior to version 2.3.4, allows an attacker who supplies a backup archive to modify the contents of an encrypted backup and inject malicious configuration directives. When the backup is restored, these directives become part of the nginx configuration, potentially granting unauthorized access or allowing arbitrary commands to run when nginx starts. This vulnerability involves improper handling of encrypted backup data and directly affects configuration integrity.

Affected Systems

All installations of nginx‑ui with a version earlier than 2.3.4 are affected. No platform or operating system restriction is noted, so any host running the vulnerable web interface, regardless of its underlying OS, may be at risk. The vulnerability is specific to the 0xJacky nginx‑ui product and does not extend to other nginx components.

Risk and Exploitability

The flaw carries a CVSS score of 9.4, placing it in the critical range. Its EPSS score is below 1 %, indicating that automated exploitation attempts are currently unlikely. The vulnerability is not listed in the CISA KEV catalog. The most probable attack vector is via the web UI’s restore endpoint, requiring the attacker to be able to upload a crafted backup file; this infers that the attacker must have some level of interaction with the target system or the ability to deliver a malicious archive to a vulnerable instance.

Generated by OpenCVE AI on April 2, 2026 at 04:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade nginx‑ui to version 2.3.4 or later

Generated by OpenCVE AI on April 2, 2026 at 04:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-fhh2-gg7w-gwpq nginx-ui Backup Restore Allows Tampering with Encrypted Backups
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
Title nginx-ui Backup Restore Allows Tampering with Encrypted Backups
Weaknesses CWE-312
CWE-347
CWE-354
References
Metrics cvssV4_0

{'score': 9.4, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:17:48.298Z

Reserved: 2026-03-17T17:22:14.668Z

Link: CVE-2026-33026

cve-icon Vulnrichment

Updated: 2026-03-31T14:17:33.286Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T20:16:22.130

Modified: 2026-04-01T18:16:43.630

Link: CVE-2026-33026

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:53:59Z

Weaknesses