Introduction
A critical security flaw in the nginx-ui backup restore mechanism, tracked as CVE-2026-33026, has been identified. This vulnerability allows attackers to manipulate encrypted backups and execute arbitrary commands.
Vulnerability Details
The flaw stems from a circular trust model where the backup format lacks a secure integrity root. As reported by Security Researcher 0xJacky, the application provides the AES encryption key and Initialization Vector (IV) directly to the client as a security token.
Exploit Mechanism
Attackers can use this token to:
- Decrypt the archive
- Alter configuration files
- Update SHA-256 hashes
- Re-encrypt the bundle for restoration
The restore process accepts the modified integrity metadata generated by the attacker, allowing malicious configurations to be seamlessly applied to the server environment. This manipulation grants threat actors the ability to insert backdoors and achieve arbitrary command execution on the host machine.
Impact
The exploit operates silently regardless of hash mismatches, potentially leading to a complete compromise of the nginx-ui deployment.
Recommendations for Administrators
Administrators must immediately upgrade their nginx-ui installations to the patched version 2.3.4 to secure their infrastructure.
Developer Recommendations
- Introduce a trusted integrity root, such as signing backup metadata using a server-side private key rather than client-exposed tokens.
- Enforce strict server-side integrity verification during the restore process to prevent attacker-controlled data from being processed entirely.
元記事: https://gbhackers.com/poc-exploit-code-published-for-nginx-ui/