Critical Vulnerability in Nginx UI Actively Exploited (CVE-2026-33032)
Summary
The Cyber Security Agency of Singapore (CSA) issued an alert regarding a critical vulnerability (CVE-2026-33032) in Nginx-UI with Model Context Protocol (MCP) support. The vulnerability has a CVSS v3.1 score of 9.8 out of 10 and is being actively exploited in the wild with a public proof-of-concept exploit available. Successful exploitation allows network attackers to invoke all MCP tools without authentication and achieve complete NGINX service takeover.
What changed
CSA published an alert notifying that Nginx-UI versions prior to 2.3.6 contain a critical authentication bypass vulnerability (CVE-2026-33032) affecting MCP support. The vulnerability allows any network attacker to invoke MCP tools without authentication, modify nginx configurations, and take complete control of the NGINX service. Organizations running affected Nginx-UI deployments face immediate risk of compromise and should treat this as a critical priority. The alert references GitHub Security Advisory GHSA-h6c2-x2m2-mwhf and NVD CVE-2026-33032 for additional technical details and remediation guidance.
What to do next
- Update Nginx-UI to the latest version immediately
Archived snapshot
Apr 17, 2026GovPing captured this document from the original source. If the source has since changed or been removed, this is the text as it existed at that time.
Alerts
Critical Vulnerability in Nginx UI
17 April 2026
Nginx-UI has released a security advisory addressing a vulnerability affecting Nginx-UI with Model Context Protocol (MCP) support.This vulnerability is being exploited in the wild. Successful exploitation of this vulnerability can allow any network attacker to invoke all MCP tools without authentication and lead to a complete NGINX service takeover.
Users and administrators of affected products are advised to update to the latest version immediately.
Background
Nginx-UI has released a security advisory addressing a vulnerability (CVE-2026-33032) affecting Nginx-UI with Model Context Protocol (MCP) support. The vulnerability has a Common Vulnerability Scoring System (CVSS v3.1) score of 9.8 out of 10.
Impact
Successful exploitation of this vulnerability can allow any network attacker to invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads, leading to a complete NGINX service takeover.
Known Exploitation
This vulnerability is reportedly being actively exploited and the Proof of Concept exploit is publicly available.
Affected products
The vulnerabilities affect Nginx-UI versions prior to 2.3.6.
Recommendations
Users and administrators of affected products are advised to update to the latest version immediately.
References
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
Related changes
Get daily alerts for CSA Alerts & Advisories (Singapore)
Daily digest delivered to your inbox.
Free. Unsubscribe anytime.
Source
About this page
Every important government, regulator, and court update from around the world. One place. Real-time. Free. Our mission
Source document text, dates, docket IDs, and authority are extracted directly from CSA.
The summary, classification, recommended actions, deadlines, and penalty information are AI-generated from the original text and may contain errors. Always verify against the source document.
Classification
Who this affects
Taxonomy
Browse Categories
Get alerts for this source
We'll email you when CSA Alerts & Advisories (Singapore) publishes new changes.
Subscribed!
Optional. Filters your digest to exactly the updates that matter to you.