CVE-2026-33029
published 2026-03-30CVE-2026-33029: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an…
PriorityP336medium6.5CVSS 3.1
AVNACLPRLUINSUCNINAH
EPSS
0.95%
56.7th percentile
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < 2.3.4 | 2.3.4 |
| github.com | 0xjacky_nginx-ui | 0 – 1.99 | — |
| nginxui | nginx_ui | < 2.3.4 | 2.3.4 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI
osv·2026-04-02
CVE-2026-33029 nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval in github.com/0xJacky/Nginx-UI
GHSA
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
ghsa·2026-03-30
CVE-2026-33029 [MEDIUM] CWE-20 nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
### Summary
An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive.
### Details
The vulnerability exists in the handler for the POST /api/settings endpoint. Specifically, the logrotate.interval field is accepted as a signed integer without lower-bound verification. When a negative value is processed by the backend logic responsible for scheduling or calculating the next rotation, it triggers a non-terminating loop. This consumes CPU resources and prevents the Go web server fr
OSV
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
osv·2026-03-30
CVE-2026-33029 [MEDIUM] nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
nginx-ui Vulnerable to DoS via Negative Integer Input in Logrotate Interval
### Summary
An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive.
### Details
The vulnerability exists in the handler for the POST /api/settings endpoint. Specifically, the logrotate.interval field is accepted as a signed integer without lower-bound verification. When a negative value is processed by the backend logic responsible for scheduling or calculating the next rotation, it triggers a non-terminating loop. This consumes CPU resources and prevents the Go web server fr
No detection rules found.
No public exploits indexed.
Wiz
CVE-2026-33029 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33029 [CRITICAL] CVE-2026-33029 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33029 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive. This issue has been patched in version 2.3.4.
Source : NVD
## 6.9
Score
Published March 30, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 18.7
Exploitation Probability (EPSS) 0
Wiz
CVE-2026-33028 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33028 [CRITICAL] CVE-2026-33028 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33028 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerable to a Race Condition. Due to the complete absence of synchronization mechanisms (Mutex) and non-atomic file writes, concurrent requests lead to the severe corruption of the primary configuration file (app.ini). This vulnerability results in a persistent Denial of Service (DoS) and introduces a non-deterministic path for Remote Code Execution (RCE) through configuration cross-contamination. This issue has been patched in version 2.3.4.
Source : NVD
## 7.1
Score
Published March 30, 2026
Severity HIGH
CNA Score 7.1
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
C
Wiz
CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27944 [CRITICAL] CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27944 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
Wiz
CVE-2026-33027 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33027 [CRITICAL] CVE-2026-33027 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33027 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly handles URL-encoded traversal sequences. When specially crafted paths are supplied, the backend resolves them to the base Nginx configuration directory and executes the operation on the base directory (/etc/nginx). In particular, this allows an authenticated user to remove the entire /etc/nginx directory, resulting in a partial Denial of Service. This issue has been patched in version 2.3.4.
Source : NVD
## 6.9
Score
Published March 30, 2026
Severity MEDIUM
CNA Score 6.9
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Dat
Wiz
CVE-2026-33030 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33030 [CRITICAL] CVE-2026-33030 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33030 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Direct Object Reference (IDOR) vulnerability that allows any authenticated user to access, modify, and delete resources belonging to other users. The application's base Model struct lacks a user_id field, and all resource endpoints perform queries by ID without verifying user ownership, enabling complete authorization bypass in multi-user environments. At time of publication, there are no publicly available patches.
Source : NVD
## 9.9
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 8.8
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Da
Wiz
CVE-2026-33032 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33032 [CRITICAL] CVE-2026-33032 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33032 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patc
Wiz
CVE-2026-33026 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.4
CVE-2026-33026 [CRITICAL] CVE-2026-33026 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-33026 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
Source : NVD
## 9.4
Score
Published March 30, 2026
Severity CRITICAL
CNA Score 9.4
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 2
Exploitation Probability (EPSS) N/A
Affected packages and libraries
cpe:2.3:a:nginxui:nginx_ui
github.com/0xjacky/nginx-ui
Sources
GoLang Severity CRITICAL No Fix Added at: Mar
2026-03-30
Published