Zero Day MonitorZDM

← Back to list

9.1

CVE-2026-33026PATCHED

nginxui · nginx_ui

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.

Affected Products

Vendor	Product	Versions
nginxui	nginx_ui	< 2.3.4

Also Affects

Downstream vendors/products affected by this vulnerability

Vendor	Product	Source	Confidence
nginx	nginx	cert_advisory	90%

References

Related News (1 articles)

Tier B

BSI Advisories15d ago

[NEU] [hoch] nginx-ui: Mehrere Schwachstellen

→ No new info (linked only)

CVSS 3.19.1 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

2.3.4

CWECWE-312, CWE-347, CWE-354

PublishedMar 30, 2026

Last enriched14d ago

Trending Score5

Source articles1

Independent1

Info Completeness4/14

Missing: vendor, product, versions, cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-33032EXPKEV

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /

CRITICALCVE-2026-27944EXPKEV

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt t

HIGHCVE-2026-33030

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to

HIGHCVE-2026-33028

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms

MEDIUMCVE-2026-33027

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are suppl

Pin to Dashboard

Verification

State: verified

Confidence: 100%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Patch Available

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026