CVE-2026-33026
Summary
The nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration.
Details
The backup format lacks a trusted integrity root. Although files are encrypted, the encryption key and IV are provided to the client and the integrity metadata (hash_info.txt) is encrypted using the same key. As a result, an attacker who can access the backup token can decrypt the archive, modify its contents, recompute integrity hashes, and re-encrypt the bundle.
Because the restore process does not enforce integrity verification and accepts backups even when hash mismatches are detected, the system restores attacker-controlled configuration even when integrity verification warnings are raised. In certain configurations this may lead to arbitrary command execution on the host.
The backup system is built around the following workflow:
1. Backup files are compressed into nginx-ui.zip and nginx.zip.
2. The files are encrypted using AES-256-CBC.
3. SHA-256 hashes of the encrypted files are stored in hash_info.txt.
4. The hash file is also encrypted with the same AES key and IV.
5. The AES key and IV are provided to the client as a "backup security token".
This architecture creates a circular trust model:
- The encryption key is available to the client.
- The integrity metadata is encrypted with that same key.
- The restore process trusts hashes contained within the backup itself.
Because the attacker can decrypt and re-encrypt all files using the provided token, they can also recompute valid hashes for any modified content.
Environment
- OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)
- Application Version: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)
- Deployment: Docker Container default installation
- Relevant Source Files:
- backup_crypto.go
- backup.go
- restore.go
- SystemRestoreContent.vue
PoC
1. Generate a backup and extract the secur
⚡ Watch CVE-2026-33026
Get an email if CVE-2026-33026 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.
Exploitation outlook
- Low exploitation risk0.33% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 25% of all EPSS-scored CVEs.
Advisory coverage (1)
- criticalGHSA-fhh2-gg7w-gwpq: nginx-ui Backup Restore Allows Tampering with Encrypted Backupsghsa · 2026-03-30
External references
Embed the live status
— this badge updates automatically when the KEV or exploit status changes. How to embed it →
[](https://www.csirts.com/cve/CVE-2026-33026)