A critical nginx-ui vulnerability tracked as CVE-2026-33032 is being actively exploited in the wild, exposing an estimated 2,689 internet-facing instances of the open-source Nginx management tool, according to a technical analysis by Pluto Security.
KEY FACTS
- Severity CVE-2026-33032 carries a CVSS score of 9.8.
- Issue The flaw is an authentication bypass in nginx-ui’s MCP integration.
- Impact Attackers can restart Nginx, change configuration files and trigger reloads.
- Exposure Shodan data shows about 2,689 exposed instances online.
The issue affects the web-based Nginx management tool through two HTTP endpoints, /mcp and /mcp_message. The advisory said /mcp_message relied only on IP allowlisting, and the default whitelist was empty, which the middleware treated as allow all. That left the endpoint open to network attackers without authentication.
Researchers said a successful attack could be carried out in two requests, first by opening a session through /mcp and then by sending a POST request to /mcp_message to invoke MCP tools. The session step normally requires authentication, but attackers could also use CVE-2026-27944 in earlier versions to extract backup data, including credentials, SSL private keys and a node_secret value used to authenticate the MCP interface.
The flaw was fixed in nginx-ui version 2.3.4, released on March 15, 2026. The disclosure said operators can also add middleware.AuthRequired() to /mcp_message or change the IP allowlisting default from allow all to deny all as an interim measure.
Recorded Future listed CVE-2026-33032 among vulnerabilities actively exploited in March 2026, but it said there were no further details on the activity. Pluto Security said organizations running nginx-ui should update immediately or disable MCP functionality and restrict network access.
WHY IT MATTERS
The case shows how a management interface can expose core server controls when new features are added without the same protections as the rest of the application. For unpatched deployments, the risk is immediate because the flaw can allow full service takeover without valid credentials.