CVE-2026-33028 (GCVE-0-2026-33028)
Vulnerability from cvelistv5 – Published: 2026-03-30 17:59 – Updated: 2026-03-30 20:15
VLAI?
Title
Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse
Summary
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Severity ?
CWE
- CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33028",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-30T20:15:12.763884Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T20:15:26.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nginx-ui",
"vendor": "0xJacky",
"versions": [
{
"status": "affected",
"version": "\u003c 2.3.4"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-362",
"description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-30T17:59:19.393Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"
},
{
"name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
}
],
"source": {
"advisory": "GHSA-m468-xcm6-fxg4",
"discovery": "UNKNOWN"
},
"title": "Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33028",
"datePublished": "2026-03-30T17:59:19.393Z",
"dateReserved": "2026-03-17T17:22:14.669Z",
"dateUpdated": "2026-03-30T20:15:26.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33028\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-30T18:16:18.947\",\"lastModified\":\"2026-03-30T18:16:18.947\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"LOW\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-362\"}]}],\"references\":[{\"url\":\"https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4\",\"source\":\"security-advisories@github.com\"}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33028\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-30T20:15:12.763884Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-30T20:15:20.787Z\"}}], \"cna\": {\"title\": \"Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse\", \"source\": {\"advisory\": \"GHSA-m468-xcm6-fxg4\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV4_0\": {\"version\": \"4.0\", \"baseScore\": 7.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"LOW\"}}], \"affected\": [{\"vendor\": \"0xJacky\", \"product\": \"nginx-ui\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 2.3.4\"}]}], \"references\": [{\"url\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4\", \"name\": \"https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4\", \"name\": \"https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-362\", \"description\": \"CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (\u0027Race Condition\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-30T17:59:19.393Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33028\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-30T20:15:26.098Z\", \"dateReserved\": \"2026-03-17T17:22:14.669Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-30T17:59:19.393Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-33028
Vulnerability from fkie_nvd - Published: 2026-03-30 18:16 - Updated: 2026-03-30 18:16
Severity ?
Summary
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."
}
],
"id": "CVE-2026-33028",
"lastModified": "2026-03-30T18:16:18.947",
"metrics": {
"cvssMetricV40": [
{
"cvssData": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"availabilityRequirement": "NOT_DEFINED",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityRequirement": "NOT_DEFINED",
"exploitMaturity": "NOT_DEFINED",
"integrityRequirement": "NOT_DEFINED",
"modifiedAttackComplexity": "NOT_DEFINED",
"modifiedAttackRequirements": "NOT_DEFINED",
"modifiedAttackVector": "NOT_DEFINED",
"modifiedPrivilegesRequired": "NOT_DEFINED",
"modifiedSubAvailabilityImpact": "NOT_DEFINED",
"modifiedSubConfidentialityImpact": "NOT_DEFINED",
"modifiedSubIntegrityImpact": "NOT_DEFINED",
"modifiedUserInteraction": "NOT_DEFINED",
"modifiedVulnAvailabilityImpact": "NOT_DEFINED",
"modifiedVulnConfidentialityImpact": "NOT_DEFINED",
"modifiedVulnIntegrityImpact": "NOT_DEFINED",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-30T18:16:18.947",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-362"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-M468-XCM6-FXG4
Vulnerability from github – Published: 2026-03-30 16:34 – Updated: 2026-03-30 21:25
VLAI?
Summary
nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse
Details
Summary
The nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination.
Details
The vulnerability exists because the settings update pipeline does not implement any synchronization primitives. When multiple requests reach the handler simultaneously:
1. Memory Corruption: ProtectedFill() modifies shared global singleton pointers without thread-safety, leading to inconsistent states in memory.
2. File Corruption: The underlying library (gopkg.in/ini.v1) performs direct overwrites. Concurrent write operations interleave at the OS level, resulting in app.ini files with empty leading lines, truncated fields, or partially overwritten configuration keys.
3. State Persistent Failure: Depending on which bytes are corrupted, the application either fails its "is-installed" check (redirecting to /install) or encounters a fatal error during boot/runtime that prevents the process from responding to any further requests.
Environment: - OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64) - Application Version: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0) - Deployment: Docker Container
PoC
-
Check original app.ini file valid state:
-
Log in to the
nginx-uidashboard. - Navigate to Preferences and update settings. Capture a
POST /api/settingsrequest and send it to Burp Suite Intruder. - Configure the attack with Null payloads (to test basic concurrency) or a Fuzzing list (to test data-driven corruption).
-
Set the Resource Pool to 20-50 concurrent requests.
-
Observation (In-flight corruption): Monitor the
app.inifile. You will observe the file being written with empty leading lines or incomplete key-value pairs.
- 
-
-
Observation (Recovery Failure): If the service redirects to
/install, attempting to complete the setup again often fails because the underlying configuration state is too corrupted to be reconciled by the installer logic. - Observation (Total Service Collapse): When the corruption in
app.inibecomes so severe, the Go runtime or the INI parser encounters a fatal error, causing the Nginx-UI service to stop responding entirely (Hard DoS).
- Observation (Cross-Section Contamination): During testing, it was observed that sometimes INI sections become interleaved. For example, fields belonging to the
[nginx]section (likeConfigDirorReloadCmd) were erroneously written under the[webauthn]section.
Example of corrupted output observed:
[webauthn]
RPDisplayName =
RPID =
RPOrigins =
gDirWhiteList =
ConfigDir = /etc/nginx
ConfigPath =
PIDPath = /run/nginx.pid
SbinPath =
TestConfigCmd =
ReloadCmd = nginx -s reload
RestartCmd = nginx -s stop
StubStatusPort = 51820
ContainerName =
Impact
This is a High security risk (CWE-362: Race Condition). - Integrity: Permanent corruption of application settings and system-level configuration. - Availability: High. The attack results in a persistent Denial of Service that cannot be recovered via the web UI. - Remote Code Execution (RCE) Risk: Since the application allows updating certain fields (like Node Name) and uses others as shell commands (like ReloadCmd or RestartCmd), the observed "cross-contamination" of INI values means an attacker could potentially force a user-controlled string into a command execution field. If ReloadCmd is overwritten with a malicious payload provided in another field, the next nginx reload will execute that payload. While highly impactful, this specific exploit path is non-deterministic and depends on the precise interleaving of thread execution, making targeted exploitation difficult.
Recommended Mitigation
- Implement Mutex Locking: Wrap the
ProtectedFillandsettings.Save()calls in async.Mutexto serialize access to global settings. - Atomic File Writes: Implement a "write-then-rename" strategy. Write the new configuration to
app.ini.tmpand useos.Rename()to replace the original file atomically, ensuring the configuration file is always in a valid state.
A patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/0xJacky/Nginx-UI"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.99"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.30.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/uozi-tech/cosy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.30.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33028"
],
"database_specific": {
"cwe_ids": [
"CWE-362"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-30T16:34:35Z",
"nvd_published_at": "2026-03-30T18:16:18Z",
"severity": "HIGH"
},
"details": "### Summary\nThe `nginx-ui` application is vulnerable to a **Race Condition**. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (`app.ini`). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for **Remote Code Execution (RCE)** through configuration cross-contamination.\n\n### Details\nThe vulnerability exists because the settings update pipeline does not implement any synchronization primitives. When multiple requests reach the handler simultaneously:\n1. **Memory Corruption**: `ProtectedFill()` modifies shared global singleton pointers without thread-safety, leading to inconsistent states in memory.\n2. **File Corruption**: The underlying library (`gopkg.in/ini.v1`) performs direct overwrites. Concurrent write operations interleave at the OS level, resulting in `app.ini` files with empty leading lines, truncated fields, or partially overwritten configuration keys.\n3. **State Persistent Failure**: Depending on which bytes are corrupted, the application either fails its \"is-installed\" check (redirecting to `/install`) or encounters a fatal error during boot/runtime that prevents the process from responding to any further requests.\n\n**Environment:**\n- **OS**: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)\n- **Application Version**: nginx-ui v2.3.3 (513) e5da6dd (go1.26.0)\n- **Deployment**: Docker Container\n\n### PoC\n0. Check original app.ini file valid state:\n\u003cimg width=\"524\" height=\"367\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d9688f76-7fe7-46ea-9eb9-c55bf40918a6\" /\u003e\n\n1. Log in to the `nginx-ui` dashboard.\n2. Navigate to Preferences and update settings. Capture a `POST /api/settings` request and send it to **Burp Suite Intruder**.\n3. Configure the attack with **Null payloads** (to test basic concurrency) or a **Fuzzing list** (to test data-driven corruption).\n4. Set the **Resource Pool** to 20-50 concurrent requests.\n\u003cimg width=\"1188\" height=\"776\" alt=\"image\" src=\"https://github.com/user-attachments/assets/403eef43-2bc6-4651-8802-15ddcb4f7631\" /\u003e\n\n5. **Observation (In-flight corruption)**: Monitor the `app.ini` file. You will observe the file being written with empty leading lines or incomplete key-value pairs. \n\n- \u003cimg width=\"1316\" height=\"390\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d99553f7-d253-4525-9b45-f59994e69180\" /\u003e\n------------------------------------------------\n\n- \u003cimg width=\"1368\" height=\"709\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7522ba29-39f1-4c22-88f2-8e859cdb1984\" /\u003e\n\n6. **Observation (Recovery Failure)**: If the service redirects to `/install`, attempting to complete the setup again often fails because the underlying configuration state is too corrupted to be reconciled by the installer logic.\n7. **Observation (Total Service Collapse)**: When the corruption in `app.ini` becomes so severe, the Go runtime or the INI parser encounters a fatal error, causing the Nginx-UI service to stop responding entirely (Hard DoS).\n\n\u003cimg width=\"1344\" height=\"542\" alt=\"image\" src=\"https://github.com/user-attachments/assets/da4b99dc-ddce-4b79-b0bb-2d634bdd3bf7\" /\u003e\n\n8. **Observation (Cross-Section Contamination)**: During testing, it was observed that sometimes INI sections become interleaved. For example, fields belonging to the `[nginx]` section (like `ConfigDir` or `ReloadCmd`) were erroneously written under the `[webauthn]` section.\n \n **Example of corrupted output observed:**\n```\n[webauthn]\nRPDisplayName = \nRPID = \nRPOrigins = \ngDirWhiteList = \nConfigDir = /etc/nginx\nConfigPath = \nPIDPath = /run/nginx.pid\nSbinPath = \nTestConfigCmd = \nReloadCmd = nginx -s reload\nRestartCmd = nginx -s stop\nStubStatusPort = 51820\nContainerName = \n```\n\n### Impact\nThis is a **High** security risk (CWE-362: Race Condition).\n- **Integrity**: Permanent corruption of application settings and system-level configuration.\n- **Availability**: High. The attack results in a persistent Denial of Service that cannot be recovered via the web UI.\n- **Remote Code Execution (RCE)** Risk: Since the application allows updating certain fields (like Node Name) and uses others as shell commands (like ReloadCmd or RestartCmd), the observed \"cross-contamination\" of INI values means an attacker could potentially force a user-controlled string into a command execution field. If ReloadCmd is overwritten with a malicious payload provided in another field, the next nginx reload will execute that payload. While highly impactful, this specific exploit path is non-deterministic and depends on the precise interleaving of thread execution, making targeted exploitation difficult.\n\n### Recommended Mitigation\n1. **Implement Mutex Locking**: Wrap the `ProtectedFill` and `settings.Save()` calls in a `sync.Mutex` to serialize access to global settings.\n2. **Atomic File Writes**: Implement a \"write-then-rename\" strategy. Write the new configuration to `app.ini.tmp` and use `os.Rename()` to replace the original file atomically, ensuring the configuration file is always in a valid state.\n\nA patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.",
"id": "GHSA-m468-xcm6-fxg4",
"modified": "2026-03-30T21:25:51Z",
"published": "2026-03-30T16:34:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33028"
},
{
"type": "PACKAGE",
"url": "https://github.com/0xJacky/nginx-ui"
},
{
"type": "WEB",
"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "nginx-ui has Race Condition that Leads to Persistent Data Corruption and Service Collapse"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…