Overview
On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI. Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032, was reported in early March by Pluto Security researcher Yotam Perkal and subsequently patched on March 15, 2026. That same day, Pluto Security published a technical blog post with some vulnerability details.
CVE-2026-33032 is a missing authentication bug with a CVSS score of 9.8; as a result of missing authentication controls, an unauthenticated attacker can access a Model Context Protocol (MCP) server that can perform privileged operations on managed Nginx web servers. Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation results in full attacker control of the managed Nginx service.
According to a Recorded Future report published on April 13, 2026, exploitation of CVE-2026-33032 in the wild has begun.
Mitigation guidance
Organizations running Nginx UI should prioritize updating on an urgent basis to remediate CVE-2026-33032. Additionally, to reduce exposure to future vulnerabilities affecting Nginx UI, defenders should ensure that network access to the Nginx UI management interface is strictly limited to those who must have it.
Affected versions:
According to the finder’s blog post, version 2.3.3 and prior are affected, and the fix is present in version 2.3.4 and later. However the official CVE record states that versions 2.3.5 and below are affected. This discrepancy in affected version numbers makes it unclear as to the correct version required to remediate CVE-2026-33032. To avoid this version number discrepancy, users are advised to update to the very latest version (2.3.6).
Please read the vendor advisory for the latest guidance.
Rapid7 customers
Exposure Command, InsightVM, and Nexpose
Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-33032 with unauthenticated checks expected to be available in the April 17 content release.
Updates
April 16, 2026: Initial publication.
Related blog posts
Vulnerabilities and Exploits
FortiGate CVE-2025-59718 Exploitation: Incident Response Findings
Eric Carey, Olivia Henderson +1
Threat Research
The Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape Report
Rapid7 Labs
Threat Research
Introducing Hacktics and Telemetry, a Podcast from Rapid7 Labs
Douglas McKee, Director, Vulnerability Intelligence
Vulnerabilities and Exploits
Critical Cisco Catalyst Vulnerability Exploited in the wild (CVE-2026-20127)
Rapid7 Labs