Overview
CVE-2026-33032 is a critical authentication bypass vulnerability affecting Nginx UI, a web-based interface used to manage Nginx configurations. The flaw exists in the Model Context Protocol integration, where the /mcp_message endpoint does not enforce authentication and relies only on an IP whitelist that is empty by default. This fail-open behavior can allow unauthenticated network attackers to invoke privileged MCP tools and take control of managed Nginx configurations.
Impact and Risk Assessment
Risk Level: Critical
CVSS Score: 9.8 (CVSS v3.1)
Reason for Risk Level
This vulnerability allows unauthenticated attackers with network access to the Nginx UI service to create, modify, delete, or read Nginx configuration files and trigger configuration reloads. Successful exploitation may enable traffic interception, credential harvesting, service disruption, configuration disclosure, and full compromise of Nginx service management. The risk is especially severe where Nginx UI is exposed directly to the internet or deployed with default access controls.
Impact
Attackers can create, modify, or delete Nginx configuration files. Malicious server blocks can be injected to proxy traffic to attacker-controlled servers or log sensitive Authorization headers.
Injecting invalid configurations can trigger an immediate reload, crashing the Nginx service. Additionally, attackers can read existing configurations to reveal backend infrastructure and upstream server details.
Vulnerability Details
The application exposes two MCP-related endpoints: /mcp and /mcp_message. While /mcp enforces authentication, /mcp_message does not. It relies solely on an IP whitelist, which is empty by default.
Due to a “fail-open” logic flaw, an empty whitelist is treated as “allow all,” thereby granting unauthenticated access to underlying MCP tools.
Affected Product and Versions:
- Product: Nginx-UI (GitHub: 0xJacky/Nginx-UI)
- Version: 2.3.5 and earlier
Attack Vector and Exploitation Scenario
An attacker scans for internet-exposed Nginx UI instances, commonly on port 9000, and sends a crafted POST request to /mcp_message.
Using the tools/call method, the attacker invokes the nginx_config_add tool.
The malicious configuration is then written to disk, and the application automatically reloads Nginx, activating the attacker’s changes without requiring a restart.
MITRE ATT&CK Mapping (CVE-2026-33032)
| Tactic | Technique ID | Technique Name | Observed Behavior in CVE-2026-33032 |
| Initial Access | T1190 | Exploit Public-Facing Application | Use of the /mcp_message endpoint to gain access. |
| Impact | T1565 | Data Manipulation | Modifying Nginx .conf files to redirect traffic. |
| Credential Access | T1040 | Network Sniffing | Capturing or exposing sensitive traffic and headers through malicious Nginx proxy configurations. |
Exploit Status
- Public PoC: Available.
- In-the-Wild Exploitation: Confirmed. Reported as actively exploited in the wild.
- Threat Activity: Widespread automated scanning from cloud-hosted infrastructure has been observed.
Operational Implication
Defenders must assume that any Nginx UI instance exposed to the internet during the vulnerability window (March–April 2026) has likely been probed or compromised. Unauthorized Nginx reloads or modified .conf files should be treated as high-severity incidents.
Mitigation and Recommendations
- Update Nginx UI to the latest stable version.
- Place management interfaces behind a VPN or SSH tunnel; never expose them directly to the public internet.
- Configure a non-empty IP allowlist and restrict access to trusted administrative hosts only.
- If MCP functionality is not required, disable it entirely via the configuration file.
- Review existing Nginx configuration files for unauthorized changes and investigate unexpected reloads or configuration additions.
Detection and Monitoring Guidance
- Monitor web server logs for POST requests to /mcp_message.
- Trigger alerts on JSON-RPC traffic containing method: “tools/call”.
- Monitor /etc/nginx/conf.d/ and other Nginx configuration directories for unauthorized file additions or modifications.
- Audit unexpected Nginx reload events (nginx -s reload).
References
https://www.endorlabs.com/vulnerability/cve-2026-33032
https://www.infosecurity-magazine.com/news/Nginx-UI-mcp-flaw-actively
https://thehackernews.com/2026/04/critical-Nginx-UI-vulnerability-cve.html