Zero Day MonitorZDM

← Back to list

9.8

CVE-2026-33032EXPLOITED

go · github.com/0xjacky/nginx-ui

Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover

Description

A vulnerability described as critical has been identified in 0xJacky nginx-ui up to 2.3.5. The impacted element is the function AuthRequired of the file /mcp of the component Model Context Protocol. The manipulation results in missing authentication. This vulnerability is known as CVE-2026-33032. It is possible to launch the attack remotely.

Affected Products

Vendor	Product	Versions
go	github.com/0xjacky/nginx-ui	go/github.com/0xJacky/Nginx-UI: <= 1.99

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-33032 | 0xJacky nginx-ui up to 2.3.5 Model Context Protocol /mcp AuthRequired missing authentication (GHSA-h6c2-x2m2-mwhf)

→ No new info (linked only)

CVSS 3.19.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-306

PublishedMar 30, 2026

Last enriched3h agov2

Tags

GHSA-h6c2-x2m2-mwhfgo

Trending Score73

Source articles1

Independent1

Info Completeness8/14

Missing: epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

MEDIUMCVE-2026-33027EXP

Nginx UI: Improper Path Validation Allows Recursive Deletion of the Nginx Configuration Directory

HIGHCVE-2026-33028EXP

Nginx UI: Race Condition Leads to Persistent Data Corruption and Service Collapse

CRITICALCVE-2026-34041EXP

act: Unrestricted set-env and add-path command processing enables environment injection

HIGHCVE-2026-33030

Nginx UI: Unencrypted Storage of DNS API Tokens and ACME Private Keys

MEDIUMCVE-2026-33029

Nginx UI: DoS via Negative Integer Input in Logrotate Interval

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Mar 30, 2026

Discovered by ZDM

Mar 30, 2026

Actively Exploited

Mar 30, 2026

Updated: description, activelyExploited

Mar 30, 2026

Version History

v2

Last enriched 3h ago

v2Tier C3h ago

Updated vendor to 0xJacky, product to nginx-ui, marked as actively exploited, and provided a more detailed description of the vulnerability.

descriptionactivelyExploited

via VulDB

v16h ago

Initial creation