Is there a patch available for CVE-2026-33029?

Yes, a patch is available for CVE-2026-33029. Update the affected software to the latest version immediately.

Docker CVE-2026-33029

Q: What is the CVSS score of CVE-2026-33029?

CVE-2026-33029 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-17154 MEDIUM

Improper Input Validation (CWE-20)

2026-03-30 https://github.com/0xJacky/nginx-ui

GHSA-cp8r-8jvw-v3qg

Denial Of Service Docker Nginx Suse

6.9

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

2.3.4

EUVD ID Assigned

Mar 30, 2026 - 16:45 euvd

EUVD-2026-17154

Analysis Generated

Mar 30, 2026 - 16:45 vuln.today

CVE Published

Mar 30, 2026 - 16:38 nvd

MEDIUM 6.9

DescriptionNVD

Summary

An input validation vulnerability in the logrotate configuration allows an authenticated user to cause a complete Denial of Service (DoS). By submitting a negative integer for the rotation interval, the backend enters an infinite loop or an invalid state, rendering the web interface unresponsive.

Details

The vulnerability exists in the handler for the POST /api/settings endpoint. Specifically, the logrotate.interval field is accepted as a signed integer without lower-bound verification. When a negative value is processed by the backend logic responsible for scheduling or calculating the next rotation, it triggers a non-terminating loop. This consumes CPU resources and prevents the Go web server from handling further concurrent requests.

Environment:

OS: Kali Linux 6.17.10-1kali1 (6.17.10+kali-amd64)
nginx-ui version: 2.3.3 (513) e5da6dd (go1.26.0 linux/amd64)
Deployment: Docker container
Run Command:

docker run -dit \
  --name=nginx-ui \
  --restart=always \
  -v /mnt/user4/appdata/nginx:/etc/nginx \
  -v /mnt/user4/appdata/nginx-ui:/etc/nginx-ui \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -p 8080:80 -p 8443:443 \
  uozi/nginx-ui:latest

PoC

Authenticate to the nginx-ui dashboard.
Send a POST request to /api/settings (using Burp Suite, Postman, or curl).
Set the payload as follows:

.
.
.
{
  "logrotate": {
    "enabled": true,
    "cmd": "logrotate /etc/logrotate.d/nginx",
    "interval": -1
  }
}
.
.
.

Observe that the web server stops responding to all subsequent requests immediately after the injection.

Impact

This is a High-availability vulnerability (CWE-20: Improper Input Validation). Any authenticated user with access to settings can permanently hang the service.

A patched version of nginx-ui is available at https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4.

AnalysisAI

Authenticated denial of service in nginx-ui 2.3.3 and earlier allows any user with settings access to submit a negative integer for the logrotate.interval parameter, triggering an infinite loop in the backend that exhausts CPU resources and renders the web interface unresponsive. Vendor-released patch available in v2.3.4. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory