Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Published: 2026-03-30
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Nginx UI is a web user interface for the Nginx web server, and a race condition in the application allows concurrent requests to corrupt the core configuration file, app.ini. The absence of a mutex and non‑atomic file writes causes persistent denial of service and opens a non‑deterministic path for remote code execution via configuration cross‑contamination. Attackers could trigger the race by sending simultaneous requests, resulting in service collapse and elevated privileges if the corrupted configuration is leveraged.

Affected Systems

The vulnerability affects the Nginx UI application released by 0xJacky, specifically all versions prior to 2.3.4. The patch that resolves the race condition is included in version 2.3.4 and newer releases. No other vendors or products are explicitly listed as affected in the advisory.

Risk and Exploitability

The CVSS base score of 7.1 reflects a high severity incident. The EPSS score of less than 1% indicates a low probability of exploitation at this time, and the vulnerability is not currently listed in the CISA KEV catalog. Nonetheless, the attack vector is remote: external clients can access the web UI, and concurrent HTTP requests can trigger the race condition, making the vulnerability exploitable from a remote location and potentially allowing attackers to gain disruptive or higher level control over the host.

Generated by OpenCVE AI on April 2, 2026 at 04:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch to Nginx UI version 2.3.4 or later immediately.
  • Verify that no instance of Nginx UI older than 2.3.4 remains in production and decommission or upgrade any affected deployments.
  • Validate that the app.ini file remains consistent after updating and that no unintended configuration changes persist.
  • If upgrade cannot be performed right away, consider blocking concurrent modifications by restricting write access to the app.ini file or limiting simultaneous UI sessions through application or network controls, and monitor logs for signs of configuration corruption.

Generated by OpenCVE AI on April 2, 2026 at 04:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-m468-xcm6-fxg4 nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
Uozi
Uozi cosy
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
cpe:2.3:a:uozi:cosy:*:*:*:*:*:go:*:*
Vendors & Products Nginxui
Nginxui nginx Ui
Uozi
Uozi cosy
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Title Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse
Weaknesses CWE-362
References
Metrics cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
Uozi Cosy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T20:15:26.098Z

Reserved: 2026-03-17T17:22:14.669Z

Link: CVE-2026-33028

cve-icon Vulnrichment

Updated: 2026-03-30T20:15:20.787Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T18:16:18.947

Modified: 2026-04-01T18:45:46.340

Link: CVE-2026-33028

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:54:08Z

Weaknesses