Find notable cyber news and cases, enriched with sources, timelines, and signals.

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
First reported
Last updated
Happening score
H score 9
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2026-33032 is now actively exploited, creating immediate risk for publicly exposed Nginx UI instances that rely on the vulnerable /mcp_message endpoint. Internet scans identified roughly 2,600 exposed instances, with the largest clusters in China, the United States, Indonesia, Germany, and Hong Kong. Successful abuse can lead to complete nginx service takeover without authentication.

Related Happenings

NGINX web server critical flaws (multiple vulnerabilities)

Vulnerability
H score38 First: 18.06.2026 14:33 Last: 18.06.2026 14:33 Sources 1

About this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...

HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)

Vulnerability
H score26 First: 03.06.2026 22:08 Last: 03.06.2026 22:08 Sources 1

About this happening: **HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
H score46 First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Burst Statistics authentication bypass (CVE-2026-8181)

Vulnerability
H score78 First: 15.05.2026 00:07 Last: 15.05.2026 00:07 Sources 1

About this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
H score23 First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Timeline

  1. 16.04.2026 01:35 1 articles · 2mo ago

    Pluto Security AI reports CVE-2026-33032 in Nginx UI

    Initial Disclosure

    Researchers at Pluto Security AI report a critical Nginx UI flaw tracked as CVE-2026-33032 after finding that the unprotected `/mcp_message` endpoint lets remote attackers invoke privileged MCP actions without credentials and alter nginx configuration behavior.

    Show sources
  2. 16.04.2026 01:35 1 articles · 2mo ago

    NGNIX ships Nginx UI 2.3.4 to fix CVE-2026-33032

    Mitigation Patch Update

    NGNIX releases Nginx UI version 2.3.4 on March 15 to fix CVE-2026-33032 after the unprotected `/mcp_message` endpoint lets unauthenticated attackers invoke privileged MCP actions, restart nginx, and trigger automatic config reloads.

    Show sources
  3. 16.04.2026 01:35 2 articles · 2mo ago

    Recorded Future notes active exploitation of CVE-2026-33032

    Exploitation Observed

    Recorded Future notes that CVE-2026-33032 is under active exploitation, and Pluto Security says exploitation only requires network access, an SSE connection, an MCP session, and reuse of the returned `sessionID` to send unauthenticated requests to `/mcp_message`, which can lead to complete nginx service takeover.

    Show sources