Alerts

Critical Vulnerability in Nginx UI

17 April 2026

Nginx-UI has released a security advisory addressing a vulnerability affecting Nginx-UI with Model Context Protocol (MCP) support.This vulnerability is being exploited in the wild. Successful exploitation of this vulnerability can allow any network attacker to invoke all MCP tools without authentication and lead to a complete NGINX service takeover. Users and administrators of affected products are advised to update to the latest version immediately.

Background

Nginx-UI has released a security advisory addressing a vulnerability (CVE-2026-33032) affecting Nginx-UI with Model Context Protocol (MCP) support. The vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.

Impact

Successful exploitation of this vulnerability can allow any network attacker to invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads, leading to a complete NGINX service takeover.

Known Exploitation

This vulnerability is reportedly being actively exploited and the Proof of Concept exploit is publicly available.

Affected products

The vulnerabilities affect Nginx-UI versions prior to 2.3.6.

Recommendations

Users and administrators of affected products are advised to update to the latest version immediately.

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf

https://nvd.nist.gov/vuln/detail/CVE-2026-33032

https://www.bleepingcomputer.com/news/security/critical-nginx-ui-auth-bypass-flaw-now-actively-exploited-in-the-wild/

Government officials will never ask you to transfer money or disclose bank log-in details over a phone call.

Critical Vulnerability in Nginx UI

Reach us