Vulnerability in Nginx UI Web Interface for Nginx Server
CVE-2026-33032

9.8CRITICAL

Key Information:

Vendor

0xjacky

Status
Nginx-ui
Vendor
CVE Published:
30 March 2026

What is CVE-2026-33032?

CVE-2026-33032 is a severe vulnerability found in the Nginx UI web interface designed for managing Nginx servers, specifically in versions up to 2.3.5. This vulnerability arises from the Model Context Protocol (MCP) integration, which incorrectly configures access permissions for its HTTP endpoints. While the primary endpoint, /mcp, correctly requires both IP whitelisting and authentication, the secondary endpoint, /mcp_message, fails to enforce authentication as it only implements IP whitelisting. Unfortunately, the default configuration leaves the IP whitelist empty, effectively permitting unrestricted access.

This flaw allows malicious actors on the same network to access critical MCP functionalities without needing authentication. Consequently, attackers could manipulate the Nginx server to restart services, modify configuration files, or trigger automatic reloads. The implications of this vulnerability are dire, as it could lead to a complete takeover of the Nginx service, endangering web applications and data managed by the server.

Potential impact of CVE-2026-33032

  1. Unauthorized Access and Control: Attackers can access the /mcp_message endpoint without authentication, allowing them to execute critical commands that can compromise the integrity and availability of the Nginx server.

  2. Configuration Manipulation: With this vulnerability, attackers can easily create, modify, or delete configuration files, leading to potential misconfigurations or complete service disruption.

  3. Service Disruption: The ability to restart the Nginx server and trigger configuration reloads can lead to downtime, affecting any applications dependent on the server, resulting in financial losses and reputational damage for organizations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

nginx-ui <= 2.3.5

References

https://github.com/0xJacky/nginx-ui/security/advisories/G...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.