{
"document": {
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"lang": "en",
"notes": [
{
"category": "legal_disclaimer",
"text": "The Netherlands Cyber Security Center (henceforth: NCSC-NL) maintains this portal to enhance access to its information and vulnerabilities. The use of this information is subject to the following terms and conditions:\n\nThe vulnerabilities disclosed in this portal are gathered by NCSC-NL from a variety of open sources, which the user can retrieve from other platforms. NCSC-NL makes every reasonable effort to ensure that the content of this portal is kept up to date, and that it is accurate and complete. Nevertheless, NCSC-NL cannot entirely rule out the possibility of errors, and therefore cannot give any warranty in respect of its completeness, accuracy or real-time keeping up-to-date. NCSC-NL does not control nor guarantee the accuracy, relevance, timeliness or completeness of information obtained from these external sources. The vulnerabilities disclosed in this portal are intended solely for the convenience of professional parties to take appropriate measures to manage the risks posed to the cybersecurity. No rights can be derived from the information provided therein.\n\nNCSC-NL and the Kingdom of the Netherlands assume no legal liability or responsibility for any damage resulting from either the use or inability of use of the vulnerabilities disclosed in this portal. This includes damage resulting from the inaccuracy of incompleteness of the information contained in it.\nThe information on this page is subject to Dutch law. All disputes related to or arising from the use of this portal regarding the disclosure of vulnerabilities will be submitted to the competent court in The Hague. This choice of means also applies to the court in summary proceedings."
}
],
"publisher": {
"category": "coordinator",
"contact_details": "cert@ncsc.nl",
"name": "National Cyber Security Centre",
"namespace": "https://www.ncsc.nl/"
},
"title": "CVE-2026-33028",
"tracking": {
"current_release_date": "2026-04-01T22:59:06.933449Z",
"generator": {
"date": "2026-02-17T15:00:00Z",
"engine": {
"name": "V.E.L.M.A",
"version": "1.7"
}
},
"id": "CVE-2026-33028",
"initial_release_date": "2026-03-30T16:52:58.068565Z",
"revision_history": [
{
"date": "2026-03-30T16:52:58.068565Z",
"number": "1",
"summary": "CVE created.| Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (3).| CWES updated (1)."
},
{
"date": "2026-03-30T16:53:06.602162Z",
"number": "2",
"summary": "NCSC Score created."
},
{
"date": "2026-03-30T18:26:18.916414Z",
"number": "3",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-30T18:26:20.339011Z",
"number": "4",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-30T18:39:54.316206Z",
"number": "5",
"summary": "Source created.| CVE status created. (valid)| Description created for source.| CVSS created.| Products connected (1).| References created (2).| CWES updated (1)."
},
{
"date": "2026-03-30T18:39:56.075605Z",
"number": "6",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-30T20:38:47.097074Z",
"number": "7",
"summary": "Unknown change."
},
{
"date": "2026-03-30T22:12:53.180989Z",
"number": "8",
"summary": "References created (1)."
},
{
"date": "2026-03-31T12:05:47.460567Z",
"number": "9",
"summary": "Source connected.| CVE status created. (valid)| Products connected (1).| References created (15)."
},
{
"date": "2026-03-31T12:05:53.584296Z",
"number": "10",
"summary": "NCSC Score updated."
},
{
"date": "2026-03-31T16:58:07.126056Z",
"number": "11",
"summary": "Source connected.| CVE status created. (valid)| EPSS created."
},
{
"date": "2026-03-31T16:58:09.278671Z",
"number": "12",
"summary": "NCSC Score updated."
},
{
"date": "2026-04-01T22:59:01.063932Z",
"number": "13",
"summary": "CVSS created.| Products connected (1).| Product Identifiers created (2).| Products created (1).| Exploits created (1)."
},
{
"date": "2026-04-01T22:59:02.852506Z",
"number": "14",
"summary": "NCSC Score updated."
}
],
"status": "interim",
"version": "14"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/ui <2.3.4",
"product": {
"name": "vers:unknown/ui <2.3.4",
"product_id": "CSAFPID-5968318"
}
}
],
"category": "product_name",
"name": "NGINX"
}
],
"category": "vendor",
"name": "NGINX"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<1.30.1",
"product": {
"name": "vers:unknown/<1.30.1",
"product_id": "CSAFPID-5982831",
"product_identification_helper": {
"cpe": "cpe:2.3:a:uozi:cosy:*:*:*:*:*:go:*:*"
}
}
}
],
"category": "product_name",
"name": "cosy"
}
],
"category": "vendor",
"name": "uozi"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<2.3.4",
"product": {
"name": "vers:unknown/<2.3.4",
"product_id": "CSAFPID-5965559"
}
}
],
"category": "product_name",
"name": "nginx-ui"
}
],
"category": "vendor",
"name": "0xJacky"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "vers:unknown/<2.3.4",
"product": {
"name": "vers:unknown/<2.3.4",
"product_id": "CSAFPID-5982828",
"product_identification_helper": {
"cpe": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*"
}
}
}
],
"category": "product_name",
"name": "nginx_ui"
}
],
"category": "vendor",
"name": "nginxui"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-33028",
"cwe": {
"id": "CWE-362",
"name": "Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"
},
"notes": [
{
"category": "description",
"text": "### Summary\nThe `nginx-ui` application is vulnerable to a **Race Condition**. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (`app.ini`). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for **Remote Code Execution (RCE)** through configuration cross-contamination.\n\n### Details\nThe vulnerability exists because the settings update pipeline does not implement any synchronization primitives. When multiple requests reach the handler simultaneously:\n1. **Memory Corruption**: `ProtectedFill()` modifies shared global singleton pointers without thread-safety, leading to inconsistent states in memory.\n2. **File Corruption**: The underlying library (`gopkg.in/ini.v1`) performs direct overwrites. Concurrent write operations interleave at the OS level, resulting in `app.ini` files with empty leading lines, truncated fields, or partially overwritten configuration keys.\n3. **State Persistent Failure**: Depending on which bytes are corrupted, the application either fails its \"is-installed\" check (redirecting to `/install`) or encounters a fatal error during boot/runtime that prevents the process from responding to any further requests.\n\n**Environment:**\n- **OS**: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)\n- **Application Version**: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)\n- **Deployment**: Docker Container\n\n### PoC\n0. Check original app.ini file valid state:\n![\"image\"](\"https://github.com/user-attachments/assets/d9688f76-7fe7-46ea-9eb9-c55bf40918a6\")
\n\n1. Log in to the `nginx-ui` dashboard.\n2. Navigate to Preferences and update settings. Capture a `POST /api/settings` request and send it to **Burp Suite Intruder**.\n3. Configure the attack with **Null payloads** (to test basic concurrency) or a **Fuzzing list** (to test data-driven corruption).\n4. Set the **Resource Pool** to 20-50 concurrent requests.\n![\"image\"](\"https://github.com/user-attachments/assets/403eef43-2bc6-4651-8802-15ddcb4f7631\")
\n\n5. **Observation (In-flight corruption)**: Monitor the `app.ini` file. You will observe the file being written with empty leading lines or incomplete key-value pairs. \n\n- ![\"image\"](\"https://github.com/user-attachments/assets/d99553f7-d253-4525-9b45-f59994e69180\")
\n------------------------------------------------\n\n- ![\"image\"](\"https://github.com/user-attachments/assets/7522ba29-39f1-4c22-88f2-8e859cdb1984\")
\n\n6. **Observation (Recovery Failure)**: If the service redirects to `/install`, attempting to complete the setup again often fails because the underlying configuration state is too corrupted to be reconciled by the installer logic.\n7. **Observation (Total Service Collapse)**: When the corruption in `app.ini` becomes so severe, the Go runtime or the INI parser encounters a fatal error, causing the Nginx-UI service to stop responding entirely (Hard DoS).\n\n![\"image\"](\"https://github.com/user-attachments/assets/da4b99dc-ddce-4b79-b0bb-2d634bdd3bf7\")
\n\n8. **Observation (Cross-Section Contamination)**: During testing, it was observed that sometimes INI sections become interleaved. For example, fields belonging to the `[nginx]` section (like `ConfigDir` or `ReloadCmd`) were erroneously written under the `[webauthn]` section.\n \n **Example of corrupted output observed:**\n```\n[webauthn]\nRPDisplayName = \nRPID = \nRPOrigins = \ngDirWhiteList = \nConfigDir = /etc/nginx\nConfigPath = \nPIDPath = /run/nginx.pid\nSbinPath = \nTestConfigCmd = \nReloadCmd = nginx -s reload\nRestartCmd = nginx -s stop\nStubStatusPort = 51820\nContainerName = \n```\n\n### Impact\nThis is a **High** security risk (CWE-362: Race Condition).\n- **Integrity**: Permanent corruption of application settings and system-level configuration.\n- **Availability**: High. The attack results in a persistent Denial of Service that cannot be recovered via the web UI.\n- **Remote Code Execution (RCE)** Risk: Since the application allows updating certain fields (like Node Name) and uses others as shell commands (like ReloadCmd or RestartCmd), the observed \"cross-contamination\" of INI values means an attacker could potentially force a user-controlled string into a command execution field. If ReloadCmd is overwritten with a malicious payload provided in another field, the next nginx reload will execute that payload. While highly impactful, this specific exploit path is non-deterministic and depends on the precise interleaving of thread execution, making targeted exploitation difficult.\n\n### Recommended Mitigation\n1. **Implement Mutex Locking**: Wrap the `ProtectedFill` and `settings.Save()` calls in a `sync.Mutex` to serialize access to global settings.\n2. **Atomic File Writes**: Implement a \"write-then-rename\" strategy. Write the new configuration to `app.ini.tmp` and use `os.Rename()` to replace the original file atomically, ensuring the configuration file is always in a valid state.\n\nA patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.",
"title": "github - https://api.github.com/advisories/GHSA-m468-xcm6-fxg4"
},
{
"category": "description",
"text": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.",
"title": "nvd - https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33028"
},
{
"category": "description",
"text": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.",
"title": "cveprojectv5 - https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33028.json"
},
{
"category": "other",
"text": "0.00104",
"title": "EPSS"
},
{
"category": "other",
"text": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"title": "CVSSV4"
},
{
"category": "other",
"text": "7.1",
"title": "CVSSV4 base score"
},
{
"category": "other",
"text": "4.5",
"title": "NCSC Score"
},
{
"category": "other",
"text": "Is related to (a version of) an uncommon product, There is product data available from source Certbundde",
"title": "NCSC Score top increasing factors"
},
{
"category": "other",
"text": "There is exploit data available from source Nvd, There is cwe data available from source Nvd, Is related to an uncommon product vendor, The value of the most recent EPSS score",
"title": "NCSC Score top decreasing factors"
}
],
"product_status": {
"known_affected": [
"CSAFPID-5965559",
"CSAFPID-5968318",
"CSAFPID-5982828",
"CSAFPID-5982831"
]
},
"references": [
{
"category": "external",
"summary": "Source - github",
"url": "https://api.github.com/advisories/GHSA-m468-xcm6-fxg4"
},
{
"category": "external",
"summary": "Source - nvd",
"url": "https://services.nvd.nist.gov/rest/json/cves/2.0?cveId=CVE-2026-33028"
},
{
"category": "external",
"summary": "Source - cveprojectv5",
"url": "https://raw.githubusercontent.com/CVEProject/cvelistV5/main/cves/2026/33xxx/CVE-2026-33028.json"
},
{
"category": "external",
"summary": "Source - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0931.json"
},
{
"category": "external",
"summary": "Source - first",
"url": "https://api.first.org/data/v1/epss?limit=10000&offset=0"
},
{
"category": "external",
"summary": "Reference - cveprojectv5; github; nvd",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"
},
{
"category": "external",
"summary": "Reference - certbundde; cveprojectv5; github; nvd",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
},
{
"category": "external",
"summary": "Reference - certbundde; github",
"url": "https://github.com/advisories/GHSA-m468-xcm6-fxg4"
},
{
"category": "external",
"summary": "Reference - github",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33028"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0931.json"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0931"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17151"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17152"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17154"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17156"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17158"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://euvd.enisa.europa.eu/enisa/EUVD-2026-17194"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-5hf2-vhj6-gj9m"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-cp8r-8jvw-v3qg"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-fhh2-gg7w-gwpq"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-h6c2-x2m2-mwhf"
},
{
"category": "external",
"summary": "Reference - certbundde",
"url": "https://github.com/advisories/GHSA-m8p8-53vf-8357"
}
],
"scores": [
{
"cvss_v3": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
"baseScore": 7.5,
"baseSeverity": "HIGH"
},
"products": [
"CSAFPID-5965559",
"CSAFPID-5968318",
"CSAFPID-5982828",
"CSAFPID-5982831"
]
}
],
"title": "CVE-2026-33028"
}
]
}