Find notable cyber news and cases, enriched with sources, timelines, and signals.

Nginx-ui 2.3.4 patch for CVE-2026-33032

Security Patch Release
First reported
Last updated
Happening score
H score 60
3 unique sources, 3 articles

Summary

Hide ▲

nginx-ui maintainers shipped version 2.3.4 to fix CVE-2026-33032, closing a critical security gap for MCP-enabled deployments. The patch matters because the flaw could let a network-adjacent attacker take full control of an nginx server through a single unauthenticated request. The release landed one day after disclosure, and operators are told to update immediately or disable MCP if patching is not possible.

Related Happenings

Gitea Docker images security update (CVE-2026-20896)

Security Patch Release
H score51 First: 06.07.2026 19:28 Last: 06.07.2026 19:28 Sources 1

About this happening: Gitea released **version 1.26.3** to fix **CVE-2026-20896**, closing a critical authentication-bypass risk in **Gitea Docker images**. The update removed the default **"*"** wildc...

Gravity SMTP security patch release for CVE-2026-4020

Security Patch Release
H score16 First: 20.06.2026 12:56 Last: 20.06.2026 12:56 Sources 1

About this happening: **Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...

F5 security patch release for CVE-2026-42530

Security Patch Release
H score39 First: 18.06.2026 20:32 Last: 18.06.2026 20:32 Sources 1

About this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...

LiteLLM endpoint-hardening patch release (CVE-2026-42271)

Security Patch Release
H score59 First: 09.06.2026 09:26 Last: 09.06.2026 09:26 Sources 1

About this happening: BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...

Nginx security patch release for CVE-2026-49975

Security Patch Release
H score42 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

About this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...

Timeline

  1. 15.04.2026 17:45 1 articles · 2mo ago

    Nginx UI CVE-2026-33032 patch release

    Initial Disclosure

    After Pluto Security disclosed the issue in **March 2026**, the maintainers shipped **version 2.3.4** to address **CVE-2026-33032**. The patch closed the vulnerability in the product's **AI (MCP) integration** before broader exploitation details were reported.

    Show sources
  2. 15.04.2026 16:00 1 articles · 2mo ago

    nginx-ui CVE-2026-33032 disclosed as actively exploited

    Initial Disclosure

    Pluto Security identified a critical authentication bypass in nginx-ui, tracked as CVE-2026-33032, and the flaw was being actively exploited in the wild. The issue let a network-adjacent attacker take full control of an nginx server through a single unauthenticated API request, and VulnCheck added the flaw to its Known Exploited Vulnerabilities (KEV) list.

    Show sources
  3. 15.04.2026 16:00 2 articles · 2mo ago

    nginx-ui maintainers release version 2.3.4 patch

    Mitigation Patch Update

    nginx-ui maintainers released version 2.3.4 to fix CVE-2026-33032 one day after disclosure, correcting the missing authentication check on /mcp_message for MCP-enabled deployments. Operators were told to update to version 2.3.4 or later and to disable MCP functionality if patching was not possible.

    Show sources