Public PoC Exploit and Full Details Disclosed for Nginx UI’s 9.4 CVSS Backup Flaw

The “one-click” simplicity of Nginx UI has hit a major security roadblock. Researchers have unveiled a critical vulnerability in the platform’s backup and restore mechanism, identified as CVE-2026-33026, which carries a severe CVSS score of 9.4.

The full technical details of the flaw and a functional proof-of-concept (PoC) exploit code have been publicly disclosed.

Nginx UI is a popular web interface used to manage Nginx clusters, offering features like AI-powered assistance and real-time monitoring. However, its backup system—designed to protect user data—suffers from what experts call a “circular trust model”.

While the system encrypts backup archives using AES-256-CBC, it provides the encryption key and Initialization Vector (IV) directly to the client as a “backup security token”. The fatal flaw lies in the fact that the integrity metadata (the hashes used to verify the files haven’t been changed) is encrypted using that exact same key.

Because the attacker has the key, they can:

• Decrypt the entire backup archive.
• Modify the contents to include malicious configurations.Recompute new integrity hashes for the tampered files.
• Re-encrypt the entire bundle, making the malicious backup look perfectly legitimate to the system.

The danger peaks during the restoration process. The report reveals that the system does not strictly enforce integrity verification; it has been observed to “accept backups even when hash mismatches are detected”.

By successfully uploading a tampered backup, an attacker can achieve:

• Persistent Configuration Tampering: Altering how the server behaves long-term.
• Backdoor Insertion: Sneaking malicious entry points into the Nginx configuration.
• Arbitrary Command Execution: Depending on specific settings, an attacker could run commands directly on the host operating system.
• Full Instance Compromise: Gaining total control over the Nginx UI environment.

This vulnerability affects all versions of Nginx UI up to and including version 2.3.3.

Fortunately, a patch is available. Users are urged to upgrade to version 2.3.4 immediately to secure their backup workflows.

The report recommends that developers move away from circular trust by “signing backup metadata using a server-side private key” or storing integrity data completely separate from the archive. For now, the most critical step for any admin is to ensure that the restore process is configured to “abort if hash verification fails”.