Nginx-ui 2.3.4 patch for CVE-2026-33032
Security Patch Release
Summary
Hide ▲
Show ▼
nginx-ui maintainers shipped version 2.3.4 to fix CVE-2026-33032, closing a critical security gap for MCP-enabled deployments. The patch matters because the flaw could let a network-adjacent attacker take full control of an nginx server through a single unauthenticated request. The release landed one day after disclosure, and operators are told to update immediately or disable MCP if patching is not possible.
Related Happenings
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch Release
First: 15.05.2026 18:56
Last: 15.05.2026 18:56
Sources 1
About this happening:
**Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
Avada Builder 3.15.3 patch release (CVE-2026-4782, CVE-2026-4798)
Security Patch ReleaseAbout this happening: **Avada Builder** shipped **version 3.15.3** as the full fix for **CVE-2026-4782** and **CVE-2026-4798**, closing the plugin flaws that could expose files and database data. A pri...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
First: 14.05.2026 18:43
Last: 14.05.2026 18:43
Sources 1
About this happening:
**F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/MitigationAbout this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
F5 security patch release for CVE-2026-42945
Security Patch Release
First: 14.05.2026 09:00
Last: 14.05.2026 09:00
Sources 1
About this happening:
F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
F5 security patch release for CVE-2026-42945
Security Patch ReleaseAbout this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...
Latest development: 17.05.2026 14:57
VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.
Palo Alto Networks PAN-OS CVE-2026-0300 patch release
Security Patch Release
First: 06.05.2026 07:46
Last: 06.05.2026 07:46
Sources 1
About this happening:
Palo Alto Networks is rolling out **patches** for **CVE-2026-0300**, a **critical PAN-OS zero-day** that has already been **exploited in the wild** against **PA and VM series fire...
Palo Alto Networks PAN-OS CVE-2026-0300 patch release
Security Patch ReleaseAbout this happening: Palo Alto Networks is rolling out **patches** for **CVE-2026-0300**, a **critical PAN-OS zero-day** that has already been **exploited in the wild** against **PA and VM series fire...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch Release
First: 30.04.2026 16:54
Last: 30.04.2026 16:54
Sources 1
About this happening:
**Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Linux kernel security update for Copy Fail (CVE-2026-31431)
Security Patch ReleaseAbout this happening: **Linux kernel** maintainers have fixed **CVE-2026-31431** and are rolling out updates to close a **local privilege escalation** flaw that lets an unprivileged attacker gain **roo...
Timeline
-
15.04.2026 17:45 1 articles · 1mo ago
Nginx UI CVE-2026-33032 patch release
Initial DisclosureAfter Pluto Security disclosed the issue in **March 2026**, the maintainers shipped **version 2.3.4** to address **CVE-2026-33032**. The patch closed the vulnerability in the product's **AI (MCP) integration** before broader exploitation details were reported.
Show sources
- Exploited Vulnerability Exposes Nginx Servers to Hacking — www.securityweek.com — 15.04.2026 17:45
-
15.04.2026 16:00 1 articles · 1mo ago
nginx-ui CVE-2026-33032 disclosed as actively exploited
Initial DisclosurePluto Security identified a critical authentication bypass in nginx-ui, tracked as CVE-2026-33032, and the flaw was being actively exploited in the wild. The issue let a network-adjacent attacker take full control of an nginx server through a single unauthenticated API request, and VulnCheck added the flaw to its Known Exploited Vulnerabilities (KEV) list.
Show sources
- Critical Nginx-ui MCP Flaw Actively Exploited in the Wild — www.infosecurity-magazine.com — 15.04.2026 16:00
-
15.04.2026 16:00 2 articles · 1mo ago
nginx-ui maintainers release version 2.3.4 patch
Mitigation Patch Updatenginx-ui maintainers released version 2.3.4 to fix CVE-2026-33032 one day after disclosure, correcting the missing authentication check on /mcp_message for MCP-enabled deployments. Operators were told to update to version 2.3.4 or later and to disable MCP functionality if patching was not possible.
Show sources
- Critical Nginx-ui MCP Flaw Actively Exploited in the Wild — www.infosecurity-magazine.com — 15.04.2026 16:00
- Critical Nginx UI auth bypass flaw now actively exploited in the wild — www.bleepingcomputer.com — 16.04.2026 01:35