CVE-2026-33032: Nginx UI Missing MCP Authentication

Title: CVE-2026-33032: Nginx UI Missing MCP Authentication

URL Source: https://www.rapid7.com/blog/post/etr-cve-2026-33032-nginx-ui-missing-mcp-authentication

Published Time: 2026-04-16T19:52:13.018Z

Markdown Content: # CVE-2026-33032: Nginx UI Missing MCP Authentication


Rapid7’s 2026 Global Cybersecurity Summit returns May 12-13

[](https://www.rapid7.com/)

* Platform * Services * Resources * Partners * Company

[](https://www.rapid7.com/contact/)[](https://insight.rapid7.com/saml/SSO)[Request Demo](https://www.rapid7.com/request-demo/)

[Back to Blog](https://www.rapid7.com/blog/)

Vulnerabilities and Exploits # CVE-2026-33032: Nginx UI Missing MCP Authentication

[ Rapid7](https://www.rapid7.com/blog/author/rapid7/)

Apr 16, 2026|Last updated on Apr 16, 2026|2 min read

[DISCOVER RAPID7 MDR](https://www.rapid7.com/services/managed-detection-and-response-mdr/)


## Table of contents

* Overview * Mitigation guidance * Rapid7 customers * Updates

## Overview

On March 30, 2026, a security advisory was [published](https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf) for a critical vulnerability affecting [Nginx UI](https://github.com/0xJacky/nginx-ui). Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, [CVE-2026-33032](https://nvd.nist.gov/vuln/detail/CVE-2026-33032), was reported in early March by Pluto Security researcher Yotam Perkal and [subsequently patched](https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/#Timeline) on March 15, 2026. That same day, Pluto Security [published](https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/) a technical blog post with some vulnerability details.

CVE-2026-33032 is a missing authentication bug with a CVSS score of [9.8](https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H); as a result of missing authentication controls, an unauthenticated attacker can access a [Model Context Protocol (MCP)](https://modelcontextprotocol.io/docs/getting-started/intro) server that can perform privileged operations on managed Nginx web servers. Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation results in full attacker control of the managed Nginx service.

According to a Recorded Future [report](https://www.recordedfuture.com/blog/march-2026-cve-landscape) published on April 13, 2026, exploitation of CVE-2026-33032 in the wild has begun.

## Mitigation guidance

Organizations running Nginx UI should prioritize updating on an urgent basis to remediate CVE-2026-33032. Additionally, to reduce exposure to future vulnerabilities affecting Nginx UI, defenders should ensure that network access to the Nginx UI management interface is strictly limited to those who must have it.

### Affected versions:

According to the [finder’s blog post](https://pluto.secur […]

[… 6,446 Zeichen — nächste Zone: keyword-dense paragraphs …]

[ Vulnerabilities and Exploits ### FortiGate CVE-2025-59718 Exploitation: Incident Response Findings   Eric Carey, Olivia Henderson +1](https://www.rapid7.com/blog/post/ve-fortigate-cve-2025-59718-exploitation-incident-response-ir-findings/)[ Threat Research ### The Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape Report  Rapid7 Labs](https://www.rapid7.com/blog/post/tr-accelerating-attack-cycle-2026-global-threat-landscape-report/)[ Threat Research ### Introducing Hacktics and Telemetry, a Podcast from Rapid7 Labs  Douglas McKee, Director, Vulnerability Intelligence](https://www.rapid7.com/blog/post/tr-introducing-hacktics-telemetry-podcast-rapid7-labs/)[![Image 17: Critical Cisco Catalyst Vulnerability Exploited in the wild […]

[ LinkedIn](https://www.linkedin.com/company/39624)[![Image 21: X (Twitter) […]

[Legal Terms](https://ww […]

[… 5,678 Zeichen — nächste Zone: tail …]

Cookies Details

#### Targeting Cookies

- [x] Targeting Cookies

These cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Cookies Details

#### Performance Cookies

- [x] Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.

Cookies Details

#### Functional Cookies

- [x] Functional Cookies

These cookies enable the website to provide enhanced functionality and personalisation. They may be set by us or by third party providers whose services we have added to our pages. If you do not allow these cookies then some or all of these services may not function properly.

Cookies Details

### Cookie List

Clear

* - [x] checkbox label label

Apply Cancel

Consent Leg.Interest

- [x] checkbox label label

- [x] checkbox label label

- [x] checkbox label label

Reject All Confirm My Choices

[](https://www.onetrust.com/products/cookie-consent/)