CVE-2026-33027 MEDIUM

CVE-2026-33027: Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

Vendor 0Xjacky

Product nginx-ui

Weakness CWE-22 · Path traversal

Published March 30, 2026

Last update March 30, 2026

View on NVD All CVEs

CVSS base score

6.9/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.

Key dates

Disclosure timeline

March 30, 2026 CVE published

March 30, 2026 Record updated