What is CVE-2026-33029?

### Summary An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. ### Details The vulnerability exists in the handler for the POST /api/settings endpoint. Specifically, the logrotate.interval field is accepted as a signed integer without lower-bound verification. When a negative value is processed by the backend logic responsible for scheduling or calculating the next rotation, it triggers a non-terminating loop. This consumes CPU resources and prevents the Go web server from handling further concurrent requests. **Environment:** - OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64) - nginx-ui version: 2.3.3 (513) e5da6dd (go1.26.0 linux/amd64) - Deployment: Docker container - Run Command: ``` docker run -dit \ --name=nginx-ui \ --restart=always \ -v /mnt/user4/appdata/nginx:/etc/nginx \ -v /mnt/user4/appdata/nginx-ui:/etc/nginx-ui \ -v /var/run/docker.sock:/var/run/docker.sock \ -p 8080:80 -p 8443:443 \ uozi/nginx-ui:latest ``` ### PoC 1. Authenticate to the nginx-ui dashboard. 2. Send a POST request to /api/settings (using Burp Suite, Postman, or curl). 3. Set the payload as follows: ``` . . . { "logrotate": { "enabled": true, "cmd": "logrotate /etc/logrotate.d/nginx", "interval": -1 } } . . . ``` 4. Observe that the web server stops responding to all subsequent requests immediately after the injection. ### Impact This is a High-availability vulnerability (CWE-20: Improper Input Validation). Any authenticated user with access to settings can permanently hang the service. A patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.

What is the severity of CVE-2026-33029?

CVE-2026-33029 has a CVSS v3 score of 6.5, which is classified as Medium severity.

Is there an exploit available for CVE-2026-33029?

No known public exploits are currently available for CVE-2026-33029.

Is there a patch available for CVE-2026-33029?

Yes, patches are available for CVE-2026-33029. Check the vendor advisories for update instructions.

CVE-2026-33029 - CVE Details, Severity, and Analysis

Severity Scores

CVSS v36.5

CVSS v20.0

Priority Score295.0

EPSS Score0.0

Medium

Exploitation LikelihoodMinimal

0.00%EPSS

Very low probability of exploitation

Monitor and patch as resources allow

0.00%

EPSS

6.5

CVSS

No

Exploit

Yes

Patch

Low Priority

no major risk factors

EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.

Description

Summary

An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive.

Details

The vulnerability exists in the handler for the POST /api/settings endpoint. Specifically, the logrotate.interval field is accepted as a signed integer without lower-bound verification. When a negative value is processed by the backend logic responsible for scheduling or calculating the next rotation, it triggers a non-terminating loop. This consumes CPU resources and prevents the Go web server from handling further concurrent requests.

Environment:

OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)
nginx-ui version: 2.3.3 (513) e5da6dd (go1.26.0 linux/amd64)
Deployment: Docker container
Run Command:

docker run -dit \
  --name=nginx-ui \
  --restart=always \
  -v /mnt/user4/appdata/nginx:/etc/nginx \
  -v /mnt/user4/appdata/nginx-ui:/etc/nginx-ui \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -p 8080:80 -p 8443:443 \
  uozi/nginx-ui:latest

PoC

Authenticate to the nginx-ui dashboard.
Send a POST request to /api/settings (using Burp Suite, Postman, or curl).
Set the payload as follows:

.
.
.
{
  "logrotate": {
    "enabled": true,
    "cmd": "logrotate /etc/logrotate.d/nginx",
    "interval": -1
  }
}
.
.
.

Observe that the web server stops responding to all subsequent requests immediately after the injection. <img width="1041" height="390" alt="image" src="https://github.com/user-attachments/assets/b746a91a-dd63-4f5e-b1a8-382b9d08e181" />

Impact

This is a High-availability vulnerability (CWE-20: Improper Input Validation). Any authenticated user with access to settings can permanently hang the service.

A patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.

CVSS v3 Breakdown

Attack Vector:Network

Attack Complexity:Local

Privileges Required:Local

User Interaction:Network

Scope:Unchanged

Confidentiality:Network

Integrity:Network

Availability:High

Patch References

Github.com Security [email protected]

Ready for Agentic Automated Testing?

CVE-2026-33029

Summary

Details

PoC

Impact