Critical Nginx-UI Vulnerability Exposes Systems to Remote Code Execution
A critical security vulnerability has been identified in Nginx-UI’s backup and restore functionality, designated as CVE-2026-33026. This flaw enables attackers to manipulate encrypted backup archives, injecting malicious configurations during the restoration process. With a publicly available Proof-of-Concept (PoC) exploit, unpatched systems are at immediate risk of full system compromise.
Understanding the Vulnerability
The core issue lies in Nginx-UI’s flawed trust model within its backup architecture. When creating backups, Nginx-UI compresses files into ZIP archives and encrypts them using AES-256-CBC encryption. However, instead of securely storing encryption parameters server-side, the AES key and Initialization Vector (IV) are provided directly to the client as a backup security token. This approach undermines the security of the encryption process.
Additionally, the integrity metadata file, containing SHA-256 hashes of the encrypted files, is encrypted using the same key. Since the attacker possesses the key, they can easily bypass all cryptographic security controls. Compounding the issue, the restore process does not enforce strict integrity verification, allowing restoration operations to proceed even when hash mismatches trigger system warnings.
Exploitation Mechanics and Public PoC
Security researcher ‘dapickle’ has demonstrated how this architectural weakness can be exploited. The publicly released PoC includes Python scripts that automate the decryption and rebuilding of Nginx-UI backup files.
An attacker can generate a standard backup and extract the security token from the HTTP headers. Using a decryption script, they can unpack the archive and modify the internal configuration file (app.ini). A common attack vector involves injecting a malicious command, such as `StartCmd = bash`, into the configuration.
The attacker then uses a rebuilding script to compress the modified files, calculate new legitimate-looking hashes, update the metadata, and re-encrypt the entire bundle using the original token. When this tampered backup is uploaded to the Nginx-UI restore interface, the system blindly accepts it and executes the injected payload.
Potential Impact
This vulnerability carries a Critical severity rating, earning maximum CVSS 4.0 scores across multiple impact metrics. Successful exploitation allows attackers to:
– Permanently tamper with application configurations
– Insert backdoors into Nginx routing
– Achieve arbitrary command execution on the host machine
Notably, this flaw is a regression of a previously reported vulnerability documented in the GitHub advisory GHSA-fhh2-gg7w-gwpq. While an earlier patch addressed unauthorized access to backup files, it failed to resolve the underlying cryptographic design issue, leaving the system fundamentally vulnerable to archive modifications.
Mitigation Measures
To mitigate this critical threat, administrators must immediately upgrade to the patched release, version 2.3.4. Beyond applying the latest patch, developers are advised to implement a server-side trusted integrity root. This involves signing backup metadata using a private key rather than relying on client-side tokens, ensuring the authenticity and integrity of backup files.
Conclusion
The discovery of CVE-2026-33026 underscores the importance of robust cryptographic practices and strict integrity verification in backup and restore mechanisms. Organizations using Nginx-UI should prioritize updating to the latest version and review their backup processes to prevent potential exploitation.
