Security Intelligence
Loading table of contents...
At a glance: CVE-2026-33032 is a critical authentication-bypass vulnerability in nginx-ui (CVSS 9.8) that is actively exploited, with activity observed since March 2026. The flaw affects nginx-ui versions 2.3.5 and earlier and stems from an authentication gap in the Model Context Protocol (MCP) integration, where the /mcp_message endpoint fails to enforce authentication. This allows unauthenticated attackers with network access to invoke administrative MCP tools, potentially gaining full control over Nginx configurations and operations.
Threat summary
On April 15, 2026, researchers reported active exploitation of a critical authentication-bypass vulnerability in nginx-ui, tracked as CVE-2026-33032, with exploitation activity observed in March 2026.
The affected product is nginx-ui, not Nginx itself. nginx-ui is a separate management layer that provides a web‑based interface for administering Nginx deployments. It includes Model Context Protocol (MCP) interfaces intended for automation and tool invocation. MCP is an open standard introduced by Anthropic on November 25, 2024, designed to connect artificial intelligence assistants to external systems through a client‑server model and standardized tools.
In nginx-ui versions 2.3.5 and earlier, the Model Context Protocol (MCP) integration introduces an authentication gap in the management interface. The platform exposes two HTTP endpoints: /mcp, which enforces authentication, and /mcp\_message, which does not. When the IP allowlist is not explicitly configured, it defaults to permissive behavior, effectively allowing unauthenticated access.
According to the project’s GitHub advisory, both endpoints rely on the same backend request handler. As a result, an unauthenticated party with network access to the nginx-ui management interface can invoke MCP tools without logging in. The advisory describes an attack scenario in which adversaries send HTTP requests directly to the /mcp\_message endpoint on the default nginx-ui management port, 9000.
Because MCP tools provide administrative capabilities, including Nginx configuration changes and service reload or restart operations, successful exploitation enables full administrative control of the Nginx service managed by nginx-ui.
The vulnerability was assigned a Common Vulnerability Scoring System (CVSS) version 3.1 base score of 9.8 (Critical), reflecting network-based exploitation with low attack complexity, no required privileges, and no user interaction.
Proof-of-concept exploit code is publicly available, and exploitation has been reported since March 2026.
Analysis
Organizations are affected when they operate nginx-ui versions 2.3.5 or earlier and expose the nginx-ui management interface to the internet. If the management interface is internet-exposed, exploitation can occur remotely.
Mitigation should start with locating nginx-ui deployments, confirming the installed version, and determining whether the /mcp\_message endpoint is reachable on the management interface.
Where an immediate upgrade is not feasible, risk reduction actions may include disabling MCP functionality, restricting network access to the nginx-ui management interface, and enforcing authentication on the /mcp\_message endpoint instead of relying on fail-open IP allowlisting behavior.
After remediation, validation activities may include reviewing Nginx configuration files and nginx-ui change history for unauthorized modifications, as well as monitoring for unexpected Nginx reload or restart events.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
