Executive Summary

CVE-2026-33029 is a Denial of Service (DoS) vulnerability in the nginx-ui project (versions up to 2.3.3) caused by improper input validation of the logrotate interval configuration.

Specifically, the vulnerability occurs in the POST /api/settings endpoint where the logrotate.interval field accepts signed integers without checking if they are non-negative.

An authenticated user can submit a negative integer (e.g., -1) for this interval, which causes the backend Go server to enter an infinite loop during scheduling or rotation interval calculation.

This infinite loop consumes CPU resources and causes the web interface to become unresponsive, effectively causing a complete Denial of Service.

The issue was patched in version 2.3.4.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by causing a complete Denial of Service (DoS) on the nginx-ui web interface.

An authenticated user can exploit this flaw remotely by submitting a negative value for the logrotate interval, which triggers an infinite loop in the backend server.

As a result, the server's CPU resources are consumed excessively, making the web interface unresponsive and preventing it from handling further requests.

This can disrupt management and monitoring of the Nginx web server through the UI, potentially affecting availability of administrative functions.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring the nginx-ui web interface for unresponsiveness or high CPU usage caused by an infinite loop in the backend server.

A practical detection method involves authenticating to the nginx-ui dashboard and sending a POST request to the /api/settings endpoint with the logrotate.interval field set to a negative integer (e.g., -1). If the server becomes unresponsive or CPU usage spikes, the vulnerability is present.

Example command using curl to test the vulnerability (requires valid authentication token):

• curl -X POST https://<nginx-ui-host>/api/settings -H "Authorization: Bearer <token>" -H "Content-Type: application/json" -d '{"logrotate.interval": -1}'

If the server stops responding or CPU usage increases significantly after this request, it indicates the presence of the vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade nginx-ui to version 2.3.4 or later, where the input validation issue for the logrotate interval has been fixed.

Until the upgrade can be applied, restrict access to the nginx-ui settings interface to trusted and authenticated users only, minimizing the risk of exploitation.

Additionally, monitor the server for unusual CPU usage or unresponsiveness that could indicate exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes a Denial of Service (DoS) by making the nginx-ui web interface unresponsive due to improper input validation. It impacts availability but does not affect confidentiality or integrity of data.

Since the vulnerability does not lead to unauthorized data access or data breaches, it does not directly violate data protection requirements under standards like GDPR or HIPAA. However, the availability impact could affect compliance if the service outage disrupts critical operations or access to protected data.

Organizations relying on nginx-ui should consider the potential operational impact of this DoS vulnerability on their ability to maintain continuous service and meet availability requirements stipulated by such regulations.

Useful 0 Not Useful 0