Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Nginx UI auth-bypass exploitation wave (CVE-2026-33032)

Exploitation Wave
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

CVE-2026-33032 is now actively exploited, creating immediate risk for publicly exposed Nginx UI instances that rely on the vulnerable /mcp_message endpoint. Internet scans identified roughly 2,600 exposed instances, with the largest clusters in China, the United States, Indonesia, Germany, and Hong Kong. Successful abuse can lead to complete nginx service takeover without authentication.

Related Happenings

OpenDCIM multi-flaw exploitation wave (CVE-2026-28515, CVE-2026-28516, CVE-2026-28517)

Exploitation Wave
First: 17.05.2026 14:57 Last: 17.05.2026 14:57 Sources 1

About this happening: **openDCIM** is seeing an **active exploitation wave** tied to **CVE-2026-28515**, **CVE-2026-28516**, and **CVE-2026-28517**, with attackers targeting vulnerable installations an...

Open Happening

Burst Statistics authentication bypass (CVE-2026-8181)

Vulnerability
First: 15.05.2026 00:07 Last: 15.05.2026 00:07 Sources 1

About this happening: **Burst Statistics** on **WordPress sites** is facing active exploitation of **CVE-2026-8181**, a critical **authentication bypass** that can let unauthenticated attackers imperso...

Open Happening

NGINX rewrite-rule workaround for CVE-2026-42945

Advisory/Mitigation
First: 14.05.2026 18:43 Last: 14.05.2026 18:43 Sources 1

About this happening: **F5** issued a **workaround** for vulnerable **NGINX rewrite rules**, reducing exposure to **CVE-2026-42945** for operators who cannot upgrade immediately. The guidance replaces...

Open Happening

PraisonAI missing-authentication flaw actively probed (CVE-2026-44338)

Vulnerability
First: 14.05.2026 14:40 Last: 14.05.2026 14:40 Sources 1

About this happening: Within **hours of disclosure**, **PraisonAI CVE-2026-44338** was being **probed on internet-exposed instances**, creating **unauthenticated access** risk for the legacy Flask API...

Open Happening

F5 security patch release for CVE-2026-42945

Security Patch Release
First: 14.05.2026 09:00 Last: 14.05.2026 09:00 Sources 1

About this happening: F5 released **security fixes** for **NGINX Plus** and **NGINX Open Source** after disclosing **multiple vulnerabilities**, including **CVE-2026-42945**. The patch release covers i...

Latest development: 17.05.2026 14:57

VulnCheck reported active exploitation of CVE-2026-42945 against NGINX Plus and NGINX Open, saying honeypot networks saw weaponized crafted HTTP requests that can crash worker processes and, when ASLR is disabled, enable remote code execution.

Open Happening

Timeline

  1. 16.04.2026 01:35 1 articles · 1mo ago

    Pluto Security AI reports CVE-2026-33032 in Nginx UI

    Initial Disclosure

    Researchers at Pluto Security AI report a critical Nginx UI flaw tracked as CVE-2026-33032 after finding that the unprotected `/mcp_message` endpoint lets remote attackers invoke privileged MCP actions without credentials and alter nginx configuration behavior.

    Show sources
    Open in new tab
  2. 16.04.2026 01:35 1 articles · 1mo ago

    NGNIX ships Nginx UI 2.3.4 to fix CVE-2026-33032

    Mitigation Patch Update

    NGNIX releases Nginx UI version 2.3.4 on March 15 to fix CVE-2026-33032 after the unprotected `/mcp_message` endpoint lets unauthenticated attackers invoke privileged MCP actions, restart nginx, and trigger automatic config reloads.

    Show sources
    Open in new tab
  3. 16.04.2026 01:35 2 articles · 1mo ago

    Recorded Future notes active exploitation of CVE-2026-33032

    Exploitation Observed

    Recorded Future notes that CVE-2026-33032 is under active exploitation, and Pluto Security says exploitation only requires network access, an SSE connection, an MCP session, and reuse of the returned `sessionID` to send unauthenticated requests to `/mcp_message`, which can lead to complete nginx service takeover.

    Show sources
    Open in new tab