CVE-2026-33032
Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
Description
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
INFO
Published Date :
March 30, 2026, 6:16 p.m.
Last Modified :
April 16, 2026, 10:16 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | [email protected] | ||||
| CVSS 3.1 | CRITICAL | MITRE-CVE |
Solution
- Implement authentication on the /mcp_message endpoint.
- Configure a restrictive IP whitelist for /mcp_message.
- Review and restrict access to the /mcp endpoint.
- Consider upgrading Nginx UI when patches are available.
Public PoC/Exploit Available at Github
CVE-2026-33032 has a 16 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-33032.
| URL | Resource |
|---|---|
| https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf | Exploit Mitigation Vendor Advisory |
| https://websec.net/blog/cve-2026-33032-unauthenticated-nginx-ui-mcp-takeover-69e1200f9fceb1f3fbe9c47f | |
| https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf | Exploit Mitigation Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-33032 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-33032
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
The Project shares all information on MCP related CVE's published
mcp mcp-security mcp-cve
Scan AI agents for security and policy risks with 180 checks for safer deployments
agent-skills agile ai-safety apple bypass-mode claude-code developer-tools github-copilot ios open-source safety software-architecture swift tool-poisoning tvos
Dockerfile Python Shell TypeScript
None
None
Security gateway for MCP traffic. 5 built-in rules block prompt injection, credential leakage, path traversal, cross-repo exfiltration, and destructive commands. One pip install, zero config.
mcp security python proxy claude ai-agents prompt-injection self-hosted model-context-protocol llm-security ai-security cursor security-tools path-traversal credential-leakage
Python
None
Dockerfile Python Shell TypeScript
One missing function call on the route registration was enough to turn the MCP interface into an unauthenticated RCE gateway.
Python Lua
Docker Compose setup to demonstrate the nginx-ui missing authentication vulnerability
Python HTML
🤖 Curated AI OSINT resources — Google dorks, Shodan queries, GitHub dorks, and techniques to discover exposed LLM endpoints, leaked AI API keys, misconfigured vector databases, and unprotected AI agents
ai-osint ai-security api-keys artificial-intelligence bug-bounty cybersecurity google-dorks hacking llm-security machine-learning mcp-security ollama osint owasp pentesting prompt-injection reconnaissance red-team shodan vector-database
A curated timeline of real AI agent security incidents, breaches, and vulnerabilities (2024-2026). Every entry sourced and dated.
ai-agent-security ai-agents ai-security awesome-list cybersecurity llm-security mcp-security prompt-injection supply-chain-security adversarial-attacks agent-security agentic-ai ai-attacks ai-safety cve incident-response owasp red-team security-research vulnerability
Security scanner for MCP-connected AI agent pipelines — 77 rules, 13 scanners, OWASP Agentic 10/10, GitHub Action, SARIF, compliance mapping
ai-agent ai-security claude-code github-action mcp mcp-security owasp sarif scanner security supply-chain-security tool-poisoning ai-agent-security ai-safety security-scanner static-analysis
Python Dockerfile Shell TypeScript
Non-destructive vulnerability scanner for Nginx-UI MCP Endpoint Authentication Bypass (CVE-2026-33032)
Python
Cathedral-Grade Security for AI Agents. Attack vectors updated daily. Local-first, zero API cost. MIT licensed.
Python
Open-source security firewall for AI agents — validates tool calls, strips ghost arguments, enforces type safety, PII masking, RBAC, cost tracking & sandbox isolation. Works with LangChain, OpenAI Agents SDK, PydanticAI & CrewAI.
ai-agents ai-security crewai firewall langchain llm-safety mcp-server openai pii-masking pydantic-ai python rbac sandbox tool-validation zero-trust
Python Makefile
📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
security cve exploit poc vulnerability
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-33032 vulnerability anywhere in the article.
-
The Hacker News
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added two security flaws impacting ConnectWise ScreenConnect and Microsoft Windows to its Known Exploited Vulnerabilities (K ... Read more
-
The Hacker News
Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push
Cybersecurity researchers have disclosed details of a critical security vulnerability impacting GitHub.com and GitHub Enterprise Server that could allow an authenticated user to obtain remote code exe ... Read more
-
The Hacker News
Critical Unpatched Flaw Leaves Hugging Face LeRobot Open to Unauthenticated RCE
Cybersecurity researchers have disclosed details of a critical security flaw impacting LeRobot, Hugging Face's open-source robotics platform with nearly 24,000 GitHub stars, that could be exploited to ... Read more
-
The Hacker News
Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202
Microsoft on Monday revised its advisory for a now-patched, high-severity security flaw impacting Windows Shell to acknowledge that it has been actively exploited in the wild. The vulnerability in que ... Read more
-
The Hacker News
CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday added four vulnerabilities impacting SimpleHelp, Samsung MagicINFO 9 Server, and D-Link DIR-823X series routers to its Known ... Read more
-
The Hacker News
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has revealed that an unnamed federal civilian agency's Cisco Firepower device running Adaptive Security Appliance (ASA) software was co ... Read more
-
The Hacker News
LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure
A high-severity security flaw in LMDeploy, an open-source toolkit for compressing, deploying, and serving LLMs, has come under active exploitation in the wild less than 13 hours after its public discl ... Read more
-
The Hacker News
ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories
You scroll past one incident and see another that feels familiar, like it should have been fixed years ago, but it still works with small changes. Same bugs. Same mistakes.The supply chain is messy. P ... Read more
-
The Hacker News
Apple Patches iOS Flaw That Stored Deleted Signal Notifications in FBI Forensic Case
Apple has rolled out a software fix for iOS and iPadOS to address a Notification Services flaw that stored notifications marked for deletion on the device. The vulnerability, tracked as CVE-2026-28950 ... Read more
-
The Hacker News
Microsoft Patches Critical ASP.NET Core CVE-2026-40372 Privilege Escalation Bug
Microsoft has released out-of-band updates to address a security vulnerability in ASP.NET Core that could allow an attacker to escalate privileges. The vulnerability, tracked as CVE-2026-40372, carrie ... Read more
-
The Hacker News
Cohere AI Terrarium Sandbox Flaw Enables Root Code Execution, Container Escape
A critical security vulnerability has been disclosed in a Python-based sandbox called Terrarium that could result in arbitrary code execution. The vulnerability, tracked as CVE-2026-5752, is rated 9.3 ... Read more
-
The Hacker News
22 BRIDGE:BREAK Flaws Expose 20,000 Lantronix and Silex Serial-to-IP Converters
Cybersecurity researchers have identified 22 new vulnerabilities in popular models of serial-to-IP converters from Lantronix and Silex that could be exploited to hijack susceptible devices and tamper ... Read more
-
The Hacker News
Google Patches Antigravity IDE Flaw Enabling Prompt Injection Code Execution
Cybersecurity researchers have discovered a vulnerability in Google's agentic integrated development environment (IDE), Antigravity, that could be exploited to achieve code execution. The flaw, since ... Read more
-
The Hacker News
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco C ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 16
The Good | U.S. Authorities Seize W3LL Phishing Ring & Jail DPRK IT Worker Scheme Facilitators The FBI has dismantled the “W3LL” phishing platform, seized its infrastructure, and arrested its alleged ... Read more
-
The Cyber Express
Critical nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
A critical vulnerability identified as CVE-2026-33032 is drawing urgent attention from the cybersecurity community due to its role in enabling a full-scale Nginx server takeover. The flaw affects ngin ... Read more
-
Daily CyberSecurity
Critical Hardcoded Credential Bug Hits Nexus Repository 3
In the world of DevSecOps, Sonatype Nexus Repository is a cornerstone for managing software artifacts and supply chain security. However, a recently disclosed vulnerability has revealed that the “vaul ... Read more
-
Daily CyberSecurity
Critical 9.1 Bypass in OAuth2 Proxy Exposes Upstream Resources
In the world of cloud-native security, OAuth2 Proxy serves as a vital gatekeeper, providing a flexible and open-source way to protect web applications with OAuth2 and OIDC authentication. However, a n ... Read more
-
CybersecurityNews
Nginx-ui Vulnerability Actively Exploited in Attack – Enables Full Server Takeover
A critical authentication bypass vulnerability in Nginx UI, tracked as CVE-2026-33032 with a maximum CVSS score of 9.8, is currently being actively exploited in the wild. This flaw allows unauthentica ... Read more
-
security.nl
Kritieke kwetsbaarheid in Nginx UI - CVE-2026-33032
Een kritieke kwetsbaarheid in Nginx UI maakt het mogelijk voor aanvallers om Nginx servers (die gebruik maken van Nginx UI) op afstand over te nemen. Nginx UI is een webgebaseerde managementinterface ... Read more
The following table lists the changes that have been made to the
CVE-2026-33032 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Apr. 16, 2026
Action Type Old Value New Value Added Reference https://websec.net/blog/cve-2026-33032-unauthenticated-nginx-ui-mcp-takeover-69e1200f9fceb1f3fbe9c47f -
Initial Analysis by [email protected]
Apr. 01, 2026
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:* versions up to (including) 2.3.5 Added Reference Type GitHub, Inc.: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf Types: Exploit, Mitigation, Vendor Advisory Added Reference Type CISA-ADP: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf Types: Exploit, Mitigation, Vendor Advisory -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Mar. 30, 2026
Action Type Old Value New Value Added Reference https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf -
New CVE Received by [email protected]
Mar. 30, 2026
Action Type Old Value New Value Added Description Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-306 Added Reference https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf