CVE-2026-33028 - Vulnerability Details

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.

Published: 2026-03-30

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A race condition in the Nginx UI web interface, caused by the absence of synchronization mechanisms and non‑atomic file writes, corrupts the primary configuration file (app.ini). This corruption is persistent, leading to a denial of service for the UI and potentially creating a non‑deterministic path to remote code execution through configuration cross‑contamination as the corrupted configuration may be interpreted unexpectedly.

Affected Systems

The vulnerability affects the 0xJacky Nginx UI application. All installations running versions earlier than 2.3.4 are potentially impacted. No other versions are listed as affected.

Risk and Exploitability

The CVSS score is 7.1, indicating high severity. EPSS information is not provided, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack can be carried out remotely by sending concurrent web requests to the Nginx UI over the network; no local privileged access is required. The race condition depends on timing, which may make exploitation non‑deterministic, but the persistence of the corrupt configuration makes mitigation essential.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

0xJacky

nginx-ui

affected

Version	Status	Constraints
`< 2.3.4`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Nginx UI to version 2.3.4 or later.
Restart the Nginx UI service after the upgrade to ensure the new configuration takes effect.
Verify the integrity of the app.ini file and confirm that it is not corrupted.
Remove any non‑official copies or patches that might re‑introduce the issue.

Generated by OpenCVE AI on March 30, 2026 at 19:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-m468-xcm6-fxg4	nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4

History

Tue, 31 Mar 2026 03:00:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 30 Mar 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Title		Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse
Weaknesses		CWE-362
References		https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4 https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4
Metrics		cvssV4_0 `{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-30T17:59:19.393Z

Updated: 2026-03-30T20:15:26.098Z

Reserved: 2026-03-17T17:22:14.669Z

Link: CVE-2026-33028

Vulnrichment

Updated: 2026-03-30T20:15:20.787Z

NVD

Status : Received

Published: 2026-03-30T18:16:18.947

Modified: 2026-03-30T18:16:18.947

Link: CVE-2026-33028

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-30T20:55:19Z

Weaknesses

CWE-362

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact High

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object