CVE-2026-33032: severe nginx-ui bug grants unauthenticated server access

A severe vulnerability in nginx-ui, identified as CVE-2026-33032, is being actively exploited, enabling attackers to bypass authentication and gain full control of Nginx servers with a CVSS score of 9.8¹. The flaw arises from inadequate protection of the /mcp_message endpoint, which relies solely on IP whitelisting, and since the default configuration allows all IPs, attackers can access the service without authentication. This critical bug allows attackers to take over Nginx servers, posing a significant threat to organizations using this software. The exploitation of this vulnerability expands the active attack surface, making it essential for entities to prioritize mitigation based on their exposure and evidence of exploitation. So what matters to practitioners is that they must immediately assess their exposure to this vulnerability and take prompt action to prevent potential attacks.