- Description
- Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
- Source
- security-advisories@github.com
- NVD status
- Modified
- Products
- nginx_ui
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security-advisories@github.com
- CWE-306
- Hype score
- Not currently trending
CRITICAL ALERT: CVE-2026-33032 https://t.co/glXKJ8lwMc #KodjoDoDjango #InfoSecKodjo #CyberSecurity #CVE #NGINX #ThreatIntel #CyberAttack #DevSecOps #SecurityBreach #ThreatHunting #Vulnerability
@BoazakK
19 May 2026
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Recorded Future: April 2026 CVE surge — 37 high-impact actively exploited vulns, 19% spike. CVE-2026-33032 Nginx UI auth bypass has public Nuclei PoC live now. Millions of web servers exposed. Patch immediately. https://t.co/qZ9FQAGF9K #CyberSecurity
@lyrie_ai
16 May 2026
48 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*",
"matchCriteriaId": "DAD68C0D-27F9-48C7-8D1A-05EF5E2F7F7B",
"versionEndIncluding": "2.3.5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]