Nginx UI Critical Auth Bypass (CVE-2026-33032)

Executive Summary

A critical authentication bypass vulnerability in Nginx UI with Model Context Protocol (MCP) support is being actively exploited in the wild. Attackers can achieve full server takeover without authentication.

Technical Details

Vulnerability

• CVE ID: CVE-2026-33032
• Affected Component: Nginx UI management interface with MCP support
• Attack Vector: Network
• Authentication: None required
• Impact: Complete system compromise

Attack Flow

1. Attacker sends crafted request to Nginx UI endpoint
2. Improper certificate validation bypasses auth check
3. Attacker gains admin access to Nginx configuration
4. Full server control achieved

Affected Versions

• Nginx UI versions X.Y.Z through A.B.C with MCP enabled
• Default installations with MCP support

Attack Indicators

Suspicious User-Agents

“Mozilla/5.0 (ExploitKit/1.0)”

Endpoint Patterns

POST /api/v1/mcp/execute GET /admin/config/unauthorized

Exploitation in the Wild

• First Seen: April 15, 2026
• Attack Volume: Increasing (500+ attempts/hour observed)
• Target Geography: Global
• Attribution: Unknown (opportunistic)

References

• BleepingComputer Report
• CISA Alert (pending)
• Vendor Advisory

Next: Defense Guide →

Related: IOC Database Entry