CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-33026

criticalcovered by 1 sourcefirst seen 2026-03-30
Summary The nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. Details The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (hash_info.txt) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle. Because the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even when integrity verification warnings are raised. In certain configurations this may lead to arbitrary command execution on the host. The backup system is built around the following workflow: 1. Backup files are compressed into nginx-ui.zip and nginx.zip. 2. The files are encrypted using AES-256-CBC. 3. SHA-256 hashes of the encrypted files are stored in hash_info.txt. 4. The hash file is also encrypted with the same AES key and IV. 5. The AES key and IV are provided to the client as a "backup security token". This architecture creates a circular trust model: - The encryption key is available to the client. - The integrity metadata is encrypted with that same key. - The restore process trusts hashes contained within the backup itself. Because the attacker can decrypt and re-encrypt all files using the provided token, they can also recompute valid hashes for any modified content. Environment - OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64) - Application Version: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0) - Deployment: Docker Container default installation - Relevant Source Files: - backup_crypto.go - backup.go - restore.go - SystemRestoreContent.vue PoC 1. Generate a backup and extract the secur

⚡ Watch CVE-2026-33026

Get an email if CVE-2026-33026 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-33026

CVE.org record

Embed the live status

CVE-2026-33026 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-33026 status](https://www.csirts.com/badge/CVE-2026-33026)](https://www.csirts.com/cve/CVE-2026-33026)