CVE-2026-33032
Published: 30 March 2026
Summary
CVE-2026-33032 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).
Deeper analysis
Nginx UI versions 2.3.5 and earlier contain an authentication bypass in the MCP integration. The /mcp endpoint is protected by both IP whitelisting and the AuthRequired middleware, but the /mcp_message endpoint applies only IP whitelisting. When the whitelist is empty, the middleware permits all source addresses, exposing every MCP tool to unauthenticated callers.
An attacker with network reachability to the nginx-ui instance can therefore invoke the full set of MCP functions without credentials. This grants the ability to restart the nginx service, create, modify, or delete configuration files, and trigger automatic reloads, resulting in complete control over the nginx deployment. The flaw is tracked as CWE-306 and carries a CVSS 3.1 score of 9.8.
Public advisories, including the GitHub Security Advisory GHSA-h6c2-x2m2-mwhf, confirm that no patches were available at the time of disclosure and recommend restricting network access to the /mcp and /mcp_message endpoints until a fix is released.
The associated EPSS score rose from a low baseline to a peak of 0.1859, indicating that exploitation interest increased after publication.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-17158
Vulnerability details
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired()…
more
middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
- CWE(s)
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Protocol-Specific Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: mcp, model context protocol
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a critical authentication bypass in the public-facing Nginx UI web interface, enabling unauthenticated remote attackers to invoke MCP tools for full Nginx service control (restart, config create/modify/delete/reload), directly mapping to T1190: Exploit Public-Facing Application.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authentication and authorization requirements on the /mcp_message endpoint before any MCP tool invocation is permitted.
Requires identification and authentication prior to allowing access to the MCP functions that can alter nginx configuration and service state.
Enforces boundary protection and network-access restrictions to the /mcp and /mcp_message endpoints until proper authentication is implemented.