Back

Critical NGINX UI Vulnerability CVE-2026-33032 Under Active Exploitation

Severity: High (Score: 78.8)

Sources: Bleepingcomputer, Infosecurity-Magazine, Securityaffairs.Co, www.infosecurityeurope.com, Darkreading

Summary

A critical vulnerability in the nginx-ui web server management tool, tracked as CVE-2026-33032, has been actively exploited since March 2026. This flaw allows attackers to bypass authentication on the /mcp_message endpoint, enabling full control over NGINX servers through a single unauthenticated API request. Discovered by Pluto Security, the vulnerability has a CVSS score of 9.8 and affects numerous installations, with over 2,600 instances identified as publicly accessible. The nginx-ui maintainers released a patch (version 2.3.4) on March 15, 2026, but many systems remain unpatched. Attackers can leverage this vulnerability to modify server configurations, reload services, and intercept traffic. Organizations using nginx-ui are urged to update immediately or restrict access to the management interface. The vulnerability highlights risks associated with the integration of AI management protocols in web applications. Key Points: • CVE-2026-33032 allows unauthenticated access to critical NGINX management functions. • Over 2,600 nginx-ui instances are publicly exposed and vulnerable to exploitation. • A patch was released on March 15, 2026, but many systems remain unpatched.

Key Entities

  • Data Breach (attack_type)
  • Ransomware (attack_type)
  • Zero-day Exploit (attack_type)
  • Nginx (tool)
  • Docker (tool)
  • Angry IP Scanner (tool)
  • Cuckoo Sandbox (tool)
  • Ghidra (tool)
  • Pluto Security (company)
  • Pluto Security AI (company)
  • China (country)
  • Germany (country)
  • Hong Kong (country)
  • Indonesia (country)
  • United States (country)
  • CVE-2025-55182 (cve)
  • CVE-2026-27944 (cve)
  • CVE-2026-33032 (cve)
  • T1041 - Exfiltration Over C2 Channel (mitre_attack)
  • T1046 - Network Service Discovery (mitre_attack)
  • T1059 - Command and Scripting Interpreter (mitre_attack)
  • T1190 - Exploit Public-Facing Application (mitre_attack)
  • T1552.001 - Credentials In Files (mitre_attack)
  • Nginx-ui (platform)
  • MCPwn (vulnerability)
  • MCPwnfluence (vulnerability)
  • Nginx-ui Flaw (vulnerability)
  • React2Shell (malware)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed