Race Condition Vulnerability in Nginx UI Web Server Interface
CVE-2026-33028

7.1HIGH

Key Information:

Vendor: 0xjacky
Status: Nginx-ui
Vendor: CVE Published:; 30 March 2026

What is CVE-2026-33028?

The Nginx UI web user interface has a vulnerability that arises from a race condition due to the lack of synchronization mechanisms such as Mutex and the use of non-atomic file writes. This flaw can lead to concurrent requests causing corruption of the app.ini primary configuration file. This results in a persistent Denial of Service (DoS), and potentially exposes a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. Users are advised to update to version 2.3.4 or later to mitigate this issue.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nginx-ui < 2.3.4

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...

x_refsource_CONFIRM

https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4

x_refsource_MISC

CVSS V4

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 30, 2026
Vulnerability Reserved
Mar 17, 2026

JSON

0xjacky