Vulnerability Overview

Disclosed in March 2026, CVE-2026-33032 is a critical vulnerability affecting Nginx UI, a popular web-based interface for managing Nginx configurations. With a CVSS score of 9.8, this flaw allows remote, unauthenticated attackers to completely bypass security controls, gain access to the administrative dashboard, and leverage the built-in system terminal to execute arbitrary commands as the root user inside the running host container.

Technical Details

The vulnerability stems from the implementation of Nginx UI's web terminal, which runs over WebSockets (/api/terminal). The authentication middleware fails to validate JWT tokens on WebSocket upgrade requests, allowing connection requests to pass through unchecked.

Attack Vector

1. An attacker initiates a WebSocket connection directly to the /api/terminal endpoint.
2. The upgrade request is processed without checking token parameters.
3. The system spawns a pseudo-terminal (pty) linked to the container's shell (/bin/sh).
4. The attacker gains full interactive shell access, allowing them to download malware, steal SSH keys, and run lateral reconnaissance.

Mitigation & Remediation

Organizations employing Nginx UI to orchestrate their routing gateways must deploy mitigation fixes immediately.

1. Upgrade Immediately

Upgrade your Nginx UI deployments to version v2.0.0-beta.9 or higher where proper WebSocket token validation has been fully implemented.

If utilizing Docker, pull the latest image and restart your stack:

docker compose pull nginx-ui
docker compose up -d

2. Disable Public Exposure

Never expose infrastructure administration dashboards directly to the public internet. Ensure your Nginx UI panel is behind:

• A secure WireGuard VPN tunnel.
• A protective access proxy requiring robust OAuth/OIDC authentication.