{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-33028", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-17T17:22:14.669Z", "datePublished": "2026-03-30T17:59:19.393Z", "dateUpdated": "2026-03-30T20:15:26.098Z"}, "containers": {"cna": {"title": "Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse", "problemTypes": [{"descriptions": [{"cweId": "CWE-362", "lang": "en", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"}, {"name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "tags": ["x_refsource_MISC"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"version": "< 2.3.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:59:19.393Z"}, "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."}], "source": {"advisory": "GHSA-m468-xcm6-fxg4", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-30T20:15:12.763884Z", "id": "CVE-2026-33028", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:15:26.098Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-33028", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-30T20:15:12.763884Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-30T20:15:20.787Z"}}], "cna": {"title": "Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse", "source": {"advisory": "GHSA-m468-xcm6-fxg4", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"status": "affected", "version": "< 2.3.4"}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4", "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "name": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-362", "description": "CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-30T17:59:19.393Z"}}}, "cveMetadata": {"cveId": "CVE-2026-33028", "state": "PUBLISHED", "dateUpdated": "2026-03-30T20:15:26.098Z", "dateReserved": "2026-03-17T17:22:14.669Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-30T17:59:19.393Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "matchCriteriaId": "EAC83E05-2DDE-450D-8718-843174EAB4E1", "versionEndExcluding": "2.3.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:uozi:cosy:*:*:*:*:*:go:*:*", "matchCriteriaId": "05EA43ED-701D-4489-B576-21AF6CD2E5DE", "versionEndExcluding": "1.30.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. Antes de la versi\u00f3n 2.3.4, la aplicaci\u00f3n nginx-ui es vulnerable a una condici\u00f3n de carrera. Debido a la ausencia completa de mecanismos de sincronizaci\u00f3n (Mutex) y escrituras de archivos no at\u00f3micas, las solicitudes concurrentes llevan a la corrupci\u00f3n severa del archivo de configuraci\u00f3n principal (app.ini). Esta vulnerabilidad resulta en una denegaci\u00f3n de servicio (DoS) persistente y introduce una ruta no determinista para la ejecuci\u00f3n remota de c\u00f3digo (RCE) a trav\u00e9s de la contaminaci\u00f3n cruzada de la configuraci\u00f3n. Este problema ha sido parcheado en la versi\u00f3n 2.3.4."}], "id": "CVE-2026-33028", "lastModified": "2026-04-01T18:45:46.340", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-30T18:16:18.947", "references": [{"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-m468-xcm6-fxg4"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-362"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.4)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "nginx-ui", "source": "cna", "vendor": "0xJacky"}, "product": "nginx-ui", "vendor": "0xjacky"}], "analysis": {"en": {"generated_at": "2026-03-30T19:50:29.124017+00:00", "value": {"mitigation_remediation": ["Upgrade Nginx UI to version 2.3.4 or later.", "Restart the Nginx UI service after the upgrade to ensure the new configuration takes effect.", "Verify the integrity of the app.ini file and confirm that it is not corrupted.", "Remove any non\u2011official copies or patches that might re\u2011introduce the issue."], "summary": {"action": "Immediate Patch", "impact": "Persistent Denial of Service with potential Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the 0xJacky Nginx UI application. All installations running versions earlier than 2.3.4 are potentially impacted. No other versions are listed as affected.", "description_and_impact": "A race condition in the Nginx UI web interface, caused by the absence of synchronization mechanisms and non\u2011atomic file writes, corrupts the primary configuration file (app.ini). This corruption is persistent, leading to a denial of service for the UI and potentially creating a non\u2011deterministic path to remote code execution through configuration cross\u2011contamination as the corrupted configuration may be interpreted unexpectedly.", "risk_and_exploitability": "The CVSS score is 7.1, indicating high severity. EPSS information is not provided, and the flaw is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attack can be carried out remotely by sending concurrent web requests to the Nginx UI over the network; no local privileged access is required. The race condition depends on timing, which may make exploitation non\u2011deterministic, but the persistence of the corrupt configuration makes mitigation essential."}}}}, "created": "2026-03-30T20:55:19.637871+00:00", "updated": "2026-03-31T20:40:32.442286+00:00", "vendors": ["0xjacky", "0xjacky$PRODUCT$nginx-ui"]}