CVE-2026-33032 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 30, 2026
Nginx UI - Broken Access Control
Overview
Nginx UI <= 2.3.5 contains a broken access control vulnerability caused by missing authentication on /mcp_message endpoint with empty IP whitelist, letting network attackers fully control nginx service remotely, exploit requires network access.
Severity & Score
Impact
Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.
Mitigation
Update to the latest version when available.
Social Media Activity(2 posts)
š“ CVE-2026-33032 - Critical (9.8) Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentic... š https://www.thehackerwire.com/vulnerability/CVE-2026-33032/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š“ CVE-2026-33032 - Critical (9.8) Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentic... š https://www.thehackerwire.com/vulnerability/CVE-2026-33032/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-33032
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- new
- EPSS
- 0.0%
- Social Posts
- 2
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H