Overview
- Threat intelligence firms Recorded Future and VulnCheck now list CVE-2026-33032 as actively exploited, and the vulnerability carries a CVSS score of 9.8.
- The flaw lives in nginx-ui’s Model Context Protocol integration, where the /mcp_message endpoint shipped without the AuthRequired middleware and an empty IP allowlist effectively allowed every source.
- Pluto Security’s Yotam Perkal says attackers can gain control in seconds by first getting a session ID from the /mcp endpoint and then invoking tools through /mcp_message without logging in.
- Successful attacks can rewrite Nginx configuration, trigger reloads, intercept traffic, and harvest administrator credentials, which amounts to full service takeover.
- Maintainers patched the issue in version 2.3.4 in March, and guidance urges immediate updates, disabling MCP if patching is not possible, restricting access to the admin port, and reviewing logs, with public PoC code and technical details heightening risk.