(CVE-2026-33032) Critical Vulnerability in Nginx UI has been has documented by NIST(The National Institute of Standards and Technology) in the National Vulnerability Database (NVD) 

The vulnerability was discovered in Nginx UI, a web-based management interface for the Nginx web server in march. This flaw allowed unauthenticated remote attackers to invoke Model Context Protocol (MCP) tools without credentials, enabling actions such as restarting Nginx, and creating, modifying, or deleting configuration files.

Considering the popularity of Nginx UI, i that boast more than 11,000 stars on GitHub and 430,000 Docker pulls. The widespread adoption of the tool means the attack surface for CVE-2026-33032 is substantial.

Cause & Module of Attack & Discovery

The root cause was an unprotected ‘/mcp_message’ endpoint that, due to an empty default IP whitelist treated as ‘allow all,’ permitted unrestricted access. Exploitation of this vulnerability could lead to complete server takeover, allowing attackers to intercept traffic, harvest credentials, and disrupt services. (nvd.nist.gov)

The flaw has been described as highly critically and there is an urgent requirement to patch particularly now that active exploitation has been confirmed. The  patch was released the very next day, on March 15, in version 2.3.4 of Nginx UI.

Researchers have been working on detailed technical information and a working proof-of-concept (PoC) exploit and that was released by end of March. That public disclosure substantially raised the risk of exploitation how attackers who are less sophisticated can also trigger the attack.

Paulo Alto Network researcher Yotam Perkal, provided a detailed breakdown of the exploitation process. The attack is straightforward and requires only network access to the target. Exploitation proceeds through the following steps:

1. The attacker establishes a Server-Sent Events (SSE) connection to the target Nginx UI instance.
2. An MCP session is opened simultaneoulsy the server returns a sessionID.
3. The attacker uses that sessionID to send arbitrary requests directly to the unprotected /mcp_message endpoint — without including any authentication headers.

Once access is established, the attacker gains unrestricted access to all 12 available MCP tools, of which 7 are classified as destructive. The range of actions an attacker can take includes:

• Connecting to the target Nginx UI instance with no authentication
• Reading and exfiltrating existing Nginx configuration files
• Injecting new Nginx server blocks containing malicious configuration directives
• Triggering an automatic Nginx configuration reload to apply changes
• Restarting the Nginx service entirely
• Creating, modifying, or deleting configuration files at will

Why patching is important for organizations?

The active exploitation of CVE-2026-33032 underscores the critical need for organizations to promptly apply security patches and review default configurations to prevent unauthorized access.

The widespread exposure of vulnerable instances highlights the urgency of securing Nginx UI deployments to mitigate potential server takeovers and data breaches.

Sensitive data was exfiltrated through the compromised server. Finally, the attacker disrupted services by restarting Nginx with malicious configurations.

Sources: Critical Nginx UI auth bypass flaw now actively exploited in the wild