CVE-2026-33028

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4	Product Release Notes
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:nginxui:nginx_ui::::::::
	cpe:2.3:a:uozi:cosy::::::go::*

History

01 Apr 2026, 18:45

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
First Time		Nginxui nginx Ui Nginxui Uozi cosy Uozi
CPE		cpe:2.3:a:uozi:cosy::::::go::* cpe:2.3:a:nginxui:nginx_ui::::::::
References	~~() https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4 -~~	() https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4 - Product, Release Notes
References	~~() https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4 -~~	() https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4 - Exploit, Mitigation, Vendor Advisory

01 Apr 2026, 14:24

Type	Values Removed	Values Added
Summary		(es) Nginx UI es una interfaz de usuario web para el servidor web Nginx. Antes de la versión 2.3.4, la aplicación nginx-ui es vulnerable a una condición de carrera. Debido a la ausencia completa de mecanismos de sincronización (Mutex) y escrituras de archivos no atómicas, las solicitudes concurrentes llevan a la corrupción severa del archivo de configuración principal (app.ini). Esta vulnerabilidad resulta en una denegación de servicio (DoS) persistente y introduce una ruta no determinista para la ejecución remota de código (RCE) a través de la contaminación cruzada de la configuración. Este problema ha sido parcheado en la versión 2.3.4.

30 Mar 2026, 18:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-30 18:16

Updated : 2026-04-01 18:45

NVD link : CVE-2026-33028

Mitre link : CVE-2026-33028

CVE.ORG link : CVE-2026-33028

JSON object : View

Products Affected

nginxui

nginx_ui

uozi

cosy

CWE

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

7.5 /10