Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Published: 2026-03-30
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

An input validation flaw in Nginx UI's logrotate configuration allows an authenticated user to submit a negative integer for the rotation interval. The backend fails to reject this value and instead enters an infinite loop or reaches an invalid state, causing the web interface to hang and become unresponsive. This results in a denial of service. The weakness maps to CWE‑20, which covers improper input validation.

Affected Systems

The vulnerability affects the Nginx UI web interface published by 0xJacky. All releases prior to version 2.3.4 are impacted. Updating to version 2.3.4 or later resolves the flaw.

Risk and Exploitability

The CVSS v3.1 score of 6.9 indicates moderate to high severity. Because the flaw requires authenticated access, exploitation is limited to individuals who can log into the UI, such as administrators or compromised accounts. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog, suggesting no publicly known exploits yet. Nevertheless, the possibility of a DoS remains significant, warranting prompt patching.

Generated by OpenCVE AI on March 30, 2026 at 19:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nginx UI to version 2.3.4 or newer
  • If an upgrade cannot be performed immediately, temporarily disable the logrotate feature or remove the problematic configuration
  • Verify the update by checking the release version and confirming the UI operates normally

Generated by OpenCVE AI on March 30, 2026 at 19:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cp8r-8jvw-v3qg nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
History

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Title Nginx UI: DoS via Negative Integer Input in Logrotate Interval
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T17:59:04.740Z

Reserved: 2026-03-17T17:22:14.669Z

Link: CVE-2026-33029

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-30T18:16:19.097

Modified: 2026-03-30T18:16:19.097

Link: CVE-2026-33029

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:20Z

Weaknesses