Nginx UI auth-bypass exploitation wave (CVE-2026-33032)
Exploitation Wave
Summary
Hide ▲
Show ▼
CVE-2026-33032 is now actively exploited, creating immediate risk for publicly exposed Nginx UI instances that rely on the vulnerable /mcp_message endpoint. Internet scans identified roughly 2,600 exposed instances, with the largest clusters in China, the United States, Indonesia, Germany, and Hong Kong. Successful abuse can lead to complete nginx service takeover without authentication.
Related Happenings
NGINX web server critical flaws (multiple vulnerabilities)
Vulnerability
H score38
First: 18.06.2026 14:33
Last: 18.06.2026 14:33
Sources 1
About this happening:
**NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
NGINX web server critical flaws (multiple vulnerabilities)
VulnerabilityAbout this happening: **NGINX** had two critical web server vulnerabilities, **CVE-2026-42530** and **CVE-2026-42055**, that can let **remote unauthenticated attackers** trigger **remote code execution...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
Vulnerability
H score26
First: 03.06.2026 22:08
Last: 03.06.2026 22:08
Sources 1
About this happening:
**HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
HTTP/2 servers HPACK flow-control DoS denial-of-service flaw (CVE-2026-49975)
VulnerabilityAbout this happening: **HTTP/2 servers** were found vulnerable to the **HTTP/2 Bomb** DoS weakness, where **HPACK compression amplification** plus **HTTP/2 flow-control stalling** lets a single client...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation Wave
H score46
First: 17.05.2026 14:57
Last: 17.05.2026 14:57
Sources 1
About this happening:
**openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)
Exploitation WaveAbout this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...
Burst Statistics authentication bypass (CVE-2026-8181)
Vulnerability
H score78
First: 15.05.2026 00:07
Last: 15.05.2026 00:07
Sources 1
About this happening:
**Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
Burst Statistics authentication bypass (CVE-2026-8181)
VulnerabilityAbout this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/Mitigation
H score23
First: 14.05.2026 18:43
Last: 14.05.2026 18:43
Sources 1
About this happening:
**F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
NGINX rewrite-rule workaround for CVE-2026-42945
Advisory/MitigationAbout this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...
Timeline
-
16.04.2026 01:35 1 articles · 2mo ago
Pluto Security AI reports CVE-2026-33032 in Nginx UI
Initial DisclosureResearchers at Pluto Security AI report a critical Nginx UI flaw tracked as CVE-2026-33032 after finding that the unprotected `/mcp_message` endpoint lets remote attackers invoke privileged MCP actions without credentials and alter nginx configuration behavior.
Show sources
- Critical Nginx UI auth bypass flaw now actively exploited in the wild — www.bleepingcomputer.com — 16.04.2026 01:35
-
16.04.2026 01:35 1 articles · 2mo ago
NGNIX ships Nginx UI 2.3.4 to fix CVE-2026-33032
Mitigation Patch UpdateNGNIX releases Nginx UI version 2.3.4 on March 15 to fix CVE-2026-33032 after the unprotected `/mcp_message` endpoint lets unauthenticated attackers invoke privileged MCP actions, restart nginx, and trigger automatic config reloads.
Show sources
- Critical Nginx UI auth bypass flaw now actively exploited in the wild — www.bleepingcomputer.com — 16.04.2026 01:35
-
16.04.2026 01:35 2 articles · 2mo ago
Recorded Future notes active exploitation of CVE-2026-33032
Exploitation ObservedRecorded Future notes that CVE-2026-33032 is under active exploitation, and Pluto Security says exploitation only requires network access, an SSE connection, an MCP session, and reuse of the returned `sessionID` to send unauthenticated requests to `/mcp_message`, which can lead to complete nginx service takeover.
Show sources
- Critical Nginx UI auth bypass flaw now actively exploited in the wild — www.bleepingcomputer.com — 16.04.2026 01:35
- Critical Nginx UI auth bypass flaw now actively exploited in the wild — www.bleepingcomputer.com — 16.04.2026 01:35