CVE-2026-33032: Critical Nginx UI Authentication Bypass Under Active Exploitation
A critical missing authentication vulnerability in Nginx UI (CVE-2026-33032, CVSS 9.8) is being actively exploited in the wild, allowing unauthenticated attackers to take full control of managed Nginx servers.
A critical vulnerability in Nginx UI, tracked as CVE-2026-33032, is being actively exploited in the wild, giving unauthenticated attackers complete control over managed Nginx web servers. The flaw, which carries a CVSS score of 9.8, was disclosed on March 30, 2026, after being reported by Pluto Security researcher Yotam Perkal in early March. A patch was released on March 15, 2026, but exploitation has now been confirmed, according to a Recorded Future report published on April 13, 2026.
Nginx UI is an open-source web interface designed to centralize the management of Nginx configurations and SSL certificates. The vulnerability stems from missing authentication controls in the Model Context Protocol (MCP) server, which can perform privileged operations on managed Nginx instances. In the default IP allowlist configuration, any remote IP can access MCP functionality, making exploitation trivial for attackers who can reach the management interface.
Crucially, CVE-2026-33032 is being exploited as part of a chain with another vulnerability, CVE-2026-27944, an information leak flaw. A PurpleOps report published on April 16, 2026, confirmed that attackers first exploit CVE-2026-27944 to leak sensitive information, then use that data to access the MCP server via CVE-2026-33032. Once inside, the attacker gains full control over the managed Nginx service, enabling them to modify configurations, intercept traffic, or deploy malicious content.
The affected versions are a source of confusion. According to the finder's blog post, versions 2.3.3 and prior are vulnerable, with the fix included in version 2.3.4. However, the official CVE record states that versions 2.3.5 and below are affected. The information leak vulnerability CVE-2026-27944 was patched in version 2.3.3. To avoid any ambiguity, users are strongly advised to update to the very latest version, 2.3.6, which addresses both vulnerabilities.
Organizations running Nginx UI should prioritize updating on an urgent basis. In addition to patching, defenders should strictly limit network access to the Nginx UI management interface to only those who require it, reducing exposure to future vulnerabilities. Rapid7 customers using Exposure Command, InsightVM, or Nexpose can assess their exposure to CVE-2026-33032 with unauthenticated checks available in the April 17 content release.
This incident highlights the growing trend of attackers chaining multiple vulnerabilities to achieve full system compromise. The active exploitation of CVE-2026-33032 and CVE-2026-27944 underscores the importance of timely patching and the need for organizations to maintain strict network segmentation for management interfaces. As open-source tools like Nginx UI become more widely adopted, they also become attractive targets for threat actors seeking to compromise large numbers of servers efficiently.