Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
CVE-2026-33032 in nginx-ui (CVSS 9.8) is actively exploited in the wild — authentication bypass gives attackers full Nginx server control. Update to 2.3.4 now.
What’s new: A critical vulnerability (CVE-2026-33032) in nginx-ui, an open-source web-based Nginx management tool, is being actively exploited. This authentication bypass flaw allows attackers to take full control of Nginx servers. The vulnerability has a CVSS score of 9.8 and enables unauthorized access to MCP tools, allowing attackers to modify configurations and reload the server.
Who’s affected
Organizations using nginx-ui versions prior to 2.3.4 are at risk. There are approximately 2,689 exposed instances globally, primarily in China, the U.S., Indonesia, Germany, and Hong Kong.
What to do
- Update to nginx-ui version 2.3.4 immediately.
- If unable to update, disable MCP functionality and restrict network access.
- Add “middleware.AuthRequired()” to the “/mcp_message” endpoint to enforce authentication.
- Change the IP allowlisting default from “allow-all” to “deny-all.”
