The maintainers of the open-source web interface Nginx UI disclosed a vulnerability in the platform on March 30, warning that an unauthenticated MCP Endpoint could lead to complete Remote Nginx Takeover.
As of April 13, according to cyber security and reporting firm Recorded Future, that vulnerability – CVE-2026-33032 – is being actively targeted by hackers.
“CVE-2026-33032 is a missing authentication bug with a CVSS score of 9.8; as a result of missing authentication controls, an unauthenticated attacker can access a Model Context Protocol (MCP) server that can perform privileged operations on managed Nginx web servers,” researchers at Rapid7 said in an April 17 blog post.
“Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation results in full attacker control of the managed Nginx service.”
The flaw was originally reported by Pluto Security researcher Yotam Perkal in early March and patched soon after on March 15.
Versions prior to 2.3.3 are impacted by the vulnerability, and the issue is fixed in versions 2.3.4 and later. However, Rapid7 has spotted a point of confusion in the official reporting.
“However, the official CVE record states that versions 2.3.5 and below are affected. This discrepancy in affected version numbers makes it unclear as to the correct version required to remediate CVE-2026-33032,” Rapid7 said.
That being the case, Rapid7 recommends users play it safe and update to the very latest version of Nginx UI, 2.3.6.
According to research by Pluto Security, thousands of instances of the platform were vulnerable as of April 15.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.