CVE-2026-33032

CVE-2026-33032 is a critical authentication bypass vulnerability in Nginx UI, a web user interface for the Nginx web server, affecting versions 2.3.5 and prior. The issue stems from the MCP (Model Context Protocol) integration, which exposes two HTTP endpoints: /mcp and /mcp_message. The /mcp endpoint enforces both IP whitelisting and authentication via AuthRequired() middleware, but /mcp_message applies only IP whitelisting. With an empty default whitelist interpreted by the middleware as "allow all," the endpoint lacks authentication entirely.

Any network-accessible attacker can exploit this vulnerability without privileges or user interaction to invoke all MCP tools. This grants capabilities such as restarting Nginx, creating, modifying, or deleting Nginx configuration files, and triggering automatic configuration reloads, enabling complete takeover of the Nginx service. The flaw carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-306 (Missing Authentication for Critical Function).

Advisories, including the GitHub security advisory GHSA-h6c2-x2m2-mwhf and analysis on websec.net, confirm no publicly available patches exist as of the CVE's publication on 2026-03-30T18:16:19.410. The MCP integration's exposure highlights risks in AI/ML-related deployments using Nginx UI for model context protocol handling.