CVE-2026-33032: 2,689 nginx Servers Exposed to Full Takeover Without a Password

nginx-ui's Model Context Protocol integration exposes two HTTP endpoints: /mcp and /mcp_message. Both endpoints route requests to the same privileged handler, which can invoke 12 distinct MCP tools — including nginx configuration file creation, modification, and deletion; nginx service restart; and automatic configuration reload.

The root cause is a single missing line of middleware. The /mcp endpoint correctly chains both IPWhiteList() and AuthRequired() middleware, requiring IP validation and authenticated credentials before reaching the handler. The /mcp_message endpoint chains only IPWhiteList(). The middleware asymmetry means both endpoints reach the same privileged handler, but one path strips the authentication requirement entirely.

The insecure default compounds the problem. nginx-ui ships with an empty default IP allowlist. IPWhiteList() middleware treats an empty allowlist as 'allow all' rather than 'deny all' — eliminating even the IP-based restriction that was intended to compensate for the missing authentication. Any attacker with network access to the nginx-ui port reaches a fully unrestricted /mcp_message endpoint.

'The /mcp route chains IPWhiteList() and AuthRequired(). /mcp_message chains IPWhiteList() only. Both forward to the same handler,' wrote Yotam Perkal of Pluto Security in the disclosure. The fix is a one-line code addition — inserting middleware.AuthRequired() into the /mcp_message route registration — but the damage from the omission extends to complete server ownership for every instance that remains unpatched. The MCPwn name Perkal coined captures both the technical root cause and the completeness of the resulting compromise.

The CVE-2026-33032 attack requires only four steps and network access to a vulnerable nginx-ui instance. For targets also running CVE-2026-27944 — affecting nginx-ui prior to v2.3.3 — the chain extends by one step that extracts persistent credential material before any configuration is touched.

Identification is straightforward: Shodan indexes approximately 2,689 publicly reachable nginx-ui deployments identifiable by their login page branding, with the highest concentrations hosted on Alibaba Cloud, Oracle Cloud, Tencent, and DigitalOcean. Internal instances are reachable to any attacker with a network foothold obtained through other means — including the enterprise credential theft vectors covered in our OAuth2 token theft post on malicious Chrome extensions.

Session establishment requires a single unauthenticated GET to /mcp, which returns a sessionId via Server-Sent Events. No credentials are needed. The attacker then POSTs to /mcp_message?sessionId= with no Authorization header. The request bypasses authentication entirely and invokes privileged MCP tools with full handler access.

Of the 12 available MCP tools, 7 are destructive: nginx configuration file creation, modification, and deletion; nginx service restart; reload trigger; server block injection for traffic interception; and credential harvesting from nginx authentication logs. A threat actor who completes step 4 effectively owns every service running behind that nginx instance.

nginx-ui's 11,000+ GitHub stars and 430,000+ Docker image pulls indicate significant adoption across DevOps teams, hosting providers, and self-managed infrastructure operators — environments where a web-based nginx management dashboard is valued precisely because it reduces dependence on command-line administration. The same accessible design that makes nginx-ui operationally convenient is what CVE-2026-33032 turns against defenders.

Shodan data as of April 2026 shows approximately 2,689 nginx-ui instances directly accessible on the public internet, with geographic distribution concentrated in cloud-heavy regions: China leads with the largest share of exposed instances, followed by the United States, Indonesia, Germany, and Hong Kong. Cloud providers hosting the highest concentrations include Alibaba Cloud, Oracle Cloud, Tencent Cloud, and DigitalOcean — reflecting strong adoption in cloud-native infrastructure where nginx commonly serves as an API gateway or ingress controller.

The 2,689 publicly reachable figure significantly understates total exposure. nginx-ui deployments on internal networks are equally vulnerable and reachable to any attacker who has established a foothold through another means — a compromised endpoint, lateral movement through a misconfigured VPN, or credentials obtained via the type of OAuth2 token theft covered in our analysis of the malicious Chrome extension campaign targeting enterprise Google accounts. From an attacker's perspective, an nginx-ui management interface on an internal server represents an immediate escalation point: modify the reverse proxy configuration, and you can redirect internal application traffic to attacker-controlled infrastructure.

CVE-2026-27944 is a second CVSS 9.8 vulnerability in nginx-ui versions prior to v2.3.3 that acts as a force multiplier for CVE-2026-33032. The /api/backup endpoint in affected versions delivers a complete system backup archive to any requesting client — no authentication, session token, or authorization header required.

The archive contents transform a session-establishment attack into a full persistent compromise. An attacker downloading the backup obtains the node_secret parameter needed for /mcp SSE session establishment, user credential hashes for all administrator accounts, the JwtSecret signing key used to generate valid admin JSON Web Tokens, SSL private keys for all TLS-terminating nginx domains, and the complete nginx configuration mapping every server block, upstream target, and proxy rule.

The combined exploitation of CVE-2026-27944 and CVE-2026-33032 mirrors the attack class covered in our analysis of CVE-2022-1388 — the F5 BIG-IP iControl REST authentication bypass — where management plane exposure gave unauthenticated attackers remote code execution across network infrastructure. In both cases, the management interface's privileged access to the underlying system transforms an authentication bypass into a full infrastructure compromise. The difference is that nginx-ui additionally hands attackers the SSL keys needed to decrypt every TLS-protected connection the server handles — a capability that persists even after patching, if the keys are not rotated post-compromise.

Recorded Future's CVE Landscape report for March 2026 listed CVE-2026-33032 among the 31 most actively exploited vulnerabilities of the month, assigning it a risk score of 94 out of 100. This ranking places it in the top tier of exploited CVEs tracked globally that month — notable given that the vulnerability was a fresh disclosure patched only two weeks before active exploitation was confirmed.

watchTowr Labs recorded exploitation attempts against CVE-2026-33032 on their honeypot infrastructure beginning March 31, 2026 — 16 days after the patch release on March 15. The rapid weaponization timeline is consistent with patterns observed in high-profile web management interface authentication bypasses, where public proof-of-concept availability compresses the exploit window to days. A working PoC for CVE-2026-33032 was made publicly available in late March 2026 alongside the CVE identifier, eliminating the barrier of independent exploit development.

VulnCheck formally added CVE-2026-33032 to its Known Exploited Vulnerabilities catalog on April 13, 2026. CISA has not yet added the CVE to its official KEV catalog as of April 16, but organisations following CISA BOD 22-01-equivalent patch prioritisation frameworks should treat VulnCheck KEV additions as equivalent signals. The pattern of missing-authentication vulnerabilities in network management interfaces — from CVE-2024-47575 (Fortinet FortiManager FortiJump) to MCPwn — continues to define the most actively targeted attack surface in enterprise infrastructure.

The primary remediation for CVE-2026-33032 is version upgrade. Users should update to nginx-ui v2.3.6 — the current release as of April 2026 — which includes fixes for both CVE-2026-33032 and CVE-2026-27944 along with additional security hardening. Version 2.3.4 was the initial patch for CVE-2026-33032 (released March 15, 2026), but v2.3.6 is the recommended target.

For organisations unable to upgrade during an emergency maintenance window, two code-level workarounds are available from the disclosure: add middleware.AuthRequired() to the /mcp_message route registration, and configure the IP allowlist to explicitly permit only trusted management hosts rather than relying on the insecure empty-list-as-allow-all default.

If MCP is not operationally required in your environment, disable the MCP feature entirely. Disabling MCP eliminates the /mcp and /mcp_message endpoints from the attack surface completely — the most conservative and immediately effective mitigation available.

Post-remediation, treat any pre-v2.3.4 instance as potentially compromised and rotate all secrets extracted from the backup endpoint: nginx-ui administrator credentials, the JwtSecret signing key, and SSL private keys for all TLS-terminating domains managed by the affected nginx-ui instance.

CVE-2026-33032 is a reminder that the management plane is the attack surface. The nginx-ui authentication bypass requires no exploit sophistication — a single unauthenticated POST to /mcp_message invokes privileged MCP tools on every unpatched instance. With 2,689 publicly exposed deployments and active exploitation confirmed since March 2026, the window for a deferred upgrade has already closed.

For any organisation running nginx-ui v2.3.3 or earlier: upgrade to v2.3.6 today. Rotate administrator credentials and JwtSecret on every instance that was exposed during the vulnerability window. Restrict management interface access to private networks. And audit your nginx configuration for signs that an attacker already used the open door.