Nginx-ui 2.3.4 patch for CVE-2026-33032
Security Patch Release
Summary
Hide ▲
Show ▼
nginx-ui maintainers shipped version 2.3.4 to fix CVE-2026-33032, closing a critical security gap for MCP-enabled deployments. The patch matters because the flaw could let a network-adjacent attacker take full control of an nginx server through a single unauthenticated request. The release landed one day after disclosure, and operators are told to update immediately or disable MCP if patching is not possible.
Related Happenings
Gitea Docker images security update (CVE-2026-20896)
Security Patch Release
H score51
First: 06.07.2026 19:28
Last: 06.07.2026 19:28
Sources 1
About this happening:
Gitea released **version 1.26.3** to fix **CVE-2026-20896**, closing a critical authentication-bypass risk in **Gitea Docker images**. The update removed the default **"*"** wildc...
Gitea Docker images security update (CVE-2026-20896)
Security Patch ReleaseAbout this happening: Gitea released **version 1.26.3** to fix **CVE-2026-20896**, closing a critical authentication-bypass risk in **Gitea Docker images**. The update removed the default **"*"** wildc...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch Release
H score16
First: 20.06.2026 12:56
Last: 20.06.2026 12:56
Sources 1
About this happening:
**Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
Gravity SMTP security patch release for CVE-2026-4020
Security Patch ReleaseAbout this happening: **Gravity SMTP** released **version 2.1.5** to fix **CVE-2026-4020**, closing a **medium-severity information disclosure** flaw in the WordPress plugin. The patch addresses a bug...
F5 security patch release for CVE-2026-42530
Security Patch Release
H score39
First: 18.06.2026 20:32
Last: 18.06.2026 20:32
Sources 1
About this happening:
**F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
F5 security patch release for CVE-2026-42530
Security Patch ReleaseAbout this happening: **F5** released security updates for **NGINX Open Source** after finding **two critical vulnerabilities** that could lead to **remote code execution** on affected systems. The pat...
LiteLLM endpoint-hardening patch release (CVE-2026-42271)
Security Patch Release
H score59
First: 09.06.2026 09:26
Last: 09.06.2026 09:26
Sources 1
About this happening:
BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...
LiteLLM endpoint-hardening patch release (CVE-2026-42271)
Security Patch ReleaseAbout this happening: BerriAI released **LiteLLM 1.83.7**, hardening access to the vulnerable **MCP test endpoints** that accepted full server configurations. The update now requires the **PROXY_ADMIN*...
Nginx security patch release for CVE-2026-49975
Security Patch Release
H score42
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Nginx security patch release for CVE-2026-49975
Security Patch ReleaseAbout this happening: Vendors released fixes for the **HTTP/2 Bomb** DoS issue, closing a path that could let a **single client** exhaust server memory within seconds. The patch set covers **nginx 1.29...
Timeline
-
15.04.2026 17:45 1 articles · 2mo ago
Nginx UI CVE-2026-33032 patch release
Initial DisclosureAfter Pluto Security disclosed the issue in **March 2026**, the maintainers shipped **version 2.3.4** to address **CVE-2026-33032**. The patch closed the vulnerability in the product's **AI (MCP) integration** before broader exploitation details were reported.
Show sources
- Exploited Vulnerability Exposes Nginx Servers to Hacking — www.securityweek.com — 15.04.2026 17:45
-
15.04.2026 16:00 1 articles · 2mo ago
nginx-ui CVE-2026-33032 disclosed as actively exploited
Initial DisclosurePluto Security identified a critical authentication bypass in nginx-ui, tracked as CVE-2026-33032, and the flaw was being actively exploited in the wild. The issue let a network-adjacent attacker take full control of an nginx server through a single unauthenticated API request, and VulnCheck added the flaw to its Known Exploited Vulnerabilities (KEV) list.
Show sources
- Critical Nginx-ui MCP Flaw Actively Exploited in the Wild — www.infosecurity-magazine.com — 15.04.2026 16:00
-
15.04.2026 16:00 2 articles · 2mo ago
nginx-ui maintainers release version 2.3.4 patch
Mitigation Patch Updatenginx-ui maintainers released version 2.3.4 to fix CVE-2026-33032 one day after disclosure, correcting the missing authentication check on /mcp_message for MCP-enabled deployments. Operators were told to update to version 2.3.4 or later and to disable MCP functionality if patching was not possible.
Show sources
- Critical Nginx-ui MCP Flaw Actively Exploited in the Wild — www.infosecurity-magazine.com — 15.04.2026 16:00
- Critical Nginx UI auth bypass flaw now actively exploited in the wild — www.bleepingcomputer.com — 16.04.2026 01:35