wid-sec-w-2026-0931 · Published 2026-03-30 · View on BSI CERT-Bund ↗

nginx-ui: Multiple Vulnerabilities

CVSS 9.8 CRITICAL

Risk Summary

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.

CVEs (6)

CVE-2026-33026 CVE-2026-33027 CVE-2026-33028 CVE-2026-33029 CVE-2026-33030 CVE-2026-33032

Affected Vendors

NGINX

Affected Products (2)

NGINX · NGINX UI <2.3.4

NGINX · NGINX UI 2.3.4

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more