208/69 Friday, April 17, 2026
Cybersecurity experts have issued a warning about active exploitation of a critical vulnerability, CVE-2026-33032, affecting Nginx UI-a widely used web-based management interface for Nginx. The flaw stems from support for the Model Context Protocol (MCP), where the /mcp_message endpoint is left unprotected. This allows remote attackers to bypass authentication entirely and gain high-level administrative access without requiring valid credentials.
Analysis shows that the attack process is relatively simple but highly impactful. Attackers initiate a Server-Sent Events (SSE) connection to obtain a session ID, then send crafted POST requests directly to the MCP control interface. Through this, they can leverage up to 12 built-in management functions, including reading, modifying, or deleting Nginx configuration files, injecting malicious configurations, and triggering automatic reloads. This enables attackers to immediately apply changes and fully compromise the server.
Currently, more than 2,600 exposed Nginx UI instances worldwide have been identified as vulnerable, particularly across regions in Asia and Europe. The risk has escalated further due to the public release of a Proof-of-Concept (PoC) exploit. System administrators using Nginx UI are strongly advised to urgently update to version 2.3.6, which addresses the vulnerability, to prevent potential compromise of organizational infrastructure.