Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover — Ravie LakshmananApr 15, 2026Web Security / Vulnerability [https://blo
What’s new: A critical vulnerability (CVE-2026-33032) in nginx-ui, an open-source web-based Nginx management tool, has been actively exploited. This authentication bypass flaw allows attackers to take full control of the Nginx service, with a CVSS score of 9.8. The vulnerability affects the /mcp_message endpoint, which lacks proper authentication controls, enabling unauthorized access to critical MCP tools.
Who’s affected
Organizations using nginx-ui versions prior to 2.3.4 are at risk, particularly those with exposed instances on the internet. Approximately 2,689 instances are identified as publicly reachable, with a significant number located in China, the U.S., Indonesia, Germany, and Hong Kong.
What to do
- Update to nginx-ui version 2.3.4 immediately to mitigate the vulnerability.
- If unable to update, implement the “middleware.AuthRequired()” on the “/mcp_message” endpoint to enforce authentication.
- Change the default IP allowlisting from “allow-all” to “deny-all” as a temporary measure.
