Home / Vulnerability Intelligence / CVE-2026-33032

CVE-2026-33032 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: April 1, 2026

Nginx UI - Broken Access Control

Published: March 30, 2026Updated: April 1, 2026Remote Exploitable

Overview

Nginx UI <= 2.3.5 contains a broken access control vulnerability caused by missing authentication on /mcp_message endpoint with empty IP whitelist, letting network attackers fully control nginx service remotely, exploit requires network access.

Severity & Score

Severity: Critical

CVSS Score: 9.8

EPSS Score: 754.8%(Probability of exploitation in next 30 days)

Impact

Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.

Mitigation

Update to the latest version when available.

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf

Social Media Activity(1 post)

HackMag — Top-notch cybersecurity magazine

@hackmag

Apr 20, 2026

⚪️ Critical Vulnerability in Nginx UI Allows Full Server Takeover 🗨️ Information security researchers have warned that a critical vulnerability in the popular Nginx web server management tool (nginx-ui) is being actively exploited by attackers and allows for complete server takeover. The issue has been assigned the identifier CVE-2026-33032 (9.8 on… 🔗 https://hackmag.com/news/nginx-ui?utm_source=mastodon&utm_medium=social&utm_campaign=repost_hackmag_to_socials #news

View original post

GitHub Repositories(3 repos)

Related Resources

Details

CVE ID: CVE-2026-33032
Severity: Critical
CVSS Score: 9.8
Type: broken_access_control
Status: unconfirmed
EPSS: 754.8%
Nuclei: Available
Social Posts: 1

CWE

CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

754.8%Probability of exploitation in the next 30 days

Nuclei Template

View Nuclei Template