Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via recursive deletion of /etc/nginx
Action: Patch
AI Analysis

Impact

Nginx UI allows an authenticated user to supply specially crafted, URL‑encoded traversal sequences that the backend resolves to the base Nginx configuration directory (/etc/nginx). This flaw permits the deletion of that entire directory, causing a partial denial of service by removing essential configuration files. The weakness is a path traversal/bounded directory removal (CWE‑22, CWE‑73).

Affected Systems

The vulnerability affects the 0xJacky Nginx UI product before version 2.3.4. Users deploying Nginx UI v2.3.3 or earlier are exposed.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread. The vulnerability is not listed in KEV. Exploitation requires authentication to the web UI; an attacker must first obtain valid credentials or local access. If authenticated, the attacker can craft a URL containing traversal sequences to trigger deletion of the configuration directory.

Generated by OpenCVE AI on April 2, 2026 at 04:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nginx UI to version 2.3.4 or later.

Generated by OpenCVE AI on April 2, 2026 at 04:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m8p8-53vf-8357 Nginx Configuration Directory Vulnerable to Recursive Deletion via Improper Path Validation
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.
Title Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory
Weaknesses CWE-22
CWE-73
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:37:18.224Z

Reserved: 2026-03-17T17:22:14.668Z

Link: CVE-2026-33027

cve-icon Vulnrichment

Updated: 2026-03-30T18:37:09.291Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T18:16:18.783

Modified: 2026-04-01T18:33:36.090

Link: CVE-2026-33027

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:07Z

Weaknesses