cbcvebase.
CVE-2026-33032
published 2026-03-30

CVE-2026-33032: Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP…

PriorityP193critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
38.48%
98.4th percentile
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

Affected

3 ranges
VendorProductVersion rangeFixed in
0xjackynginx-ui<= 2.3.5
github.com0xjacky_nginx-ui0 – 1.99
nginxuinginx_ui<= 2.3.5

Detection & IOCsextracted from sources · hover to see the quote

url/mcp
url/mcp_message
commandnginxconfigadd
  • Detect unauthenticated HTTP POST requests to the /mcp_message endpoint — no Authorization header present. This is the core exploit path for CVE-2026-33032.
  • Alert on HTTP GET to /mcp followed shortly by HTTP POST to /mcp_message from the same source IP, especially without an Authorization header — this two-request sequence is the documented full-takeover attack pattern.
  • Monitor for MCP tool invocations (e.g., nginxconfigadd, tools/call) via POST to /mcp_message without authentication, which indicates active exploitation.
  • Insikt Group created a Nuclei template to detect CVE-2026-33032; use it to scan for exposed Nginx UI instances. Active exploitation was observed on honeypots starting April 1, 2026.
  • Rapid7 InsightVM/Nexpose/Exposure Command unauthenticated checks for CVE-2026-33032 were released in the April 17 content update — deploy these checks to identify vulnerable Nginx UI instances.
  • Flag Nginx UI instances running version 2.3.3 or earlier as vulnerable; the fix is present in version 2.3.4+. The vendor recommends updating to 2.3.6 to avoid version-range discrepancies.
  • ·The /mcp endpoint requires both IP whitelisting AND authentication, but /mcp_message only requires IP whitelisting — the asymmetric middleware application is the root cause of the bypass.
  • ·As a workaround (if patching is not immediately possible), add middleware.AuthRequired() to the /mcp_message endpoint, or change the IP allowlist default behavior from allow-all to deny-all.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.