Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service – web interface becomes unresponsive
Action: Immediate Patch
AI Analysis

Impact

The vulnerability resides in the logrotate configuration of Nginx UI. Before version 2.3.4 the backend does not validate the rotation interval field. Submitting a negative integer causes an infinite loop or an unusable state, making the web interface unresponsive. The weakness is a classic input validation flaw (CWE‑20). The impact is limited to denial of service; no disclosure or execution of arbitrary code is possible from this flaw.

Affected Systems

The product affected is Nginx UI released by 0xJacky. All releases older than version 2.3.4 are vulnerable. The issue was fixed in release 2.3.4, so upgrades to that version or later remove the risk.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. However, exploitation requires authentication as the attacker must submit a configuration change. If an attacker gains authentication, they can cause a service outage. The overall risk remains moderate, with the primary concern being availability compromise.

Generated by OpenCVE AI on April 2, 2026 at 22:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the currently installed Nginx UI version
  • Upgrade the application to version 2.3.4 or newer
  • Restart the Nginx UI service to apply the update
  • Verify that the logrotate interval field only accepts positive integers
  • Monitor logs for repeated configuration submission attempts

Generated by OpenCVE AI on April 2, 2026 at 22:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cp8r-8jvw-v3qg nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Title Nginx UI: DoS via Negative Integer Input in Logrotate Interval
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:17:47.373Z

Reserved: 2026-03-17T17:22:14.669Z

Link: CVE-2026-33029

cve-icon Vulnrichment

Updated: 2026-04-01T18:17:39.496Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-30T18:16:19.097

Modified: 2026-04-02T17:10:01.437

Link: CVE-2026-33029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:38:09Z

Weaknesses