Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Nginx-ui authentication bypass (CVE-2026-33032)

Vulnerability
First reported
Last updated
Happening score
H score 48
3 unique sources, 3 articles

Summary

Hide ▲

nginx-ui has a critical authentication bypass (CVE-2026-33032) that is actively exploited in the wild, putting nginx servers at risk of full takeover via a single unauthenticated API request. The flaw affects the /mcp_message path and exposes management functionality that should have required authentication. nginx-ui maintainers shipped version 2.3.4 to fix the issue, and exposed deployments should update immediately or disable MCP and restrict access.

Related Happenings

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Open Happening

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
First: 16.04.2026 01:35 Last: 16.04.2026 01:35 Sources 1

How related: In the CVE Landscape report earlier this week, threat intelligence company Recorded Future notes that CVE-2026-33032 is under active exploitation.

About this happening: **CVE-2026-33032** is now **actively exploited**, creating immediate risk for **publicly exposed Nginx UI** instances that rely on the vulnerable **/mcp_message** endpoint. Intern...

Open Happening

Timeline

  1. 15.04.2026 16:00 3 articles · 1mo ago

    CVE-2026-33032 disclosed in nginx-ui

    Initial Disclosure

    Pluto Security disclosed a critical authentication bypass in nginx-ui, tracked as CVE-2026-33032 with a CVSS score of 9.8, after finding that a network-adjacent attacker could gain full control of an nginx server through a single unauthenticated API request. VulnCheck added the flaw to its Known Exploited Vulnerabilities (KEV) list, and Recorded Future's Insikt Group separately said it was among 31 high-impact vulnerabilities exploited during March 2026. The flaw affected the /mcp_message endpoint, where missing authentication middleware exposed 12 MCP tools, including configuration writes, server restarts, traffic interception, config reading, and backend reconnaissance.

    Show sources
    Open in new tab
  2. 15.04.2026 16:00 3 articles · 1mo ago

    CVE-2026-33032 disclosed in nginx-ui

    Initial Disclosure

    Pluto Security disclosed a critical authentication bypass in nginx-ui, tracked as CVE-2026-33032 with a CVSS score of 9.8, after finding that a network-adjacent attacker could gain full control of an nginx server through a single unauthenticated API request. VulnCheck added the flaw to its Known Exploited Vulnerabilities (KEV) list, and Recorded Future's Insikt Group separately said it was among 31 high-impact vulnerabilities exploited during March 2026. The flaw affected the /mcp_message endpoint, where missing authentication middleware exposed 12 MCP tools, including configuration writes, server restarts, traffic interception, config reading, and backend reconnaissance.

    Show sources
    Open in new tab