Cyber Resilience

CVE-2026-33032

CriticalPublic PoC

Published: 30 March 2026

Published
30 March 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3848 98.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-33032 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

Nginx UI versions 2.3.5 and earlier contain an authentication bypass in the MCP integration. The /mcp endpoint is protected by both IP whitelisting and the AuthRequired middleware, but the /mcp_message endpoint applies only IP whitelisting. When the whitelist is empty, the middleware permits all source addresses, exposing every MCP tool to unauthenticated callers.

An attacker with network reachability to the nginx-ui instance can therefore invoke the full set of MCP functions without credentials. This grants the ability to restart the nginx service, create, modify, or delete configuration files, and trigger automatic reloads, resulting in complete control over the nginx deployment. The flaw is tracked as CWE-306 and carries a CVSS 3.1 score of 9.8.

Public advisories, including the GitHub Security Advisory GHSA-h6c2-x2m2-mwhf, confirm that no patches were available at the time of disclosure and recommend restricting network access to the /mcp and /mcp_message endpoints until a fix is released.

The associated EPSS score rose from a low baseline to a peak of 0.1859, indicating that exploitation interest increased after publication.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired()…

more

middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

CWE(s)

AI Security AnalysisAI

AI Category
AI Agent Protocols and Integrations
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is a critical authentication bypass in the public-facing Nginx UI web interface, enabling unauthenticated remote attackers to invoke MCP tools for full Nginx service control (restart, config create/modify/delete/reload), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42221Same product: Nginxui Nginx Ui
CVE-2026-42222Same product: Nginxui Nginx Ui
CVE-2026-27944Same product: Nginxui Nginx Ui
CVE-2026-34403Same product: Nginxui Nginx Ui
CVE-2026-44015Same product: Nginxui Nginx Ui
CVE-2026-33026Same product: Nginxui Nginx Ui
CVE-2026-42238Same product: Nginxui Nginx Ui
CVE-2026-33031Same product: Nginxui Nginx Ui
CVE-2026-33030Same product: Nginxui Nginx Ui
CVE-2026-32211Shared CWE-306

Affected Assets

nginxui
nginx ui
≤ 2.3.5

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces authentication and authorization requirements on the /mcp_message endpoint before any MCP tool invocation is permitted.

prevent

Requires identification and authentication prior to allowing access to the MCP functions that can alter nginx configuration and service state.

prevent

Enforces boundary protection and network-access restrictions to the /mcp and /mcp_message endpoints until proper authentication is implemented.

References