Overview On March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI . Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032 , was reported in early March by Pluto Security researcher Yotam Perkal and subsequently patched on March 15, 2026. That same day, Pluto Security published a technical blog post with some vulnerability details. CVE-2026-33032 is
Full text archived locally
✦ AI Summary· Claude Sonnet
OverviewOn March 30, 2026, a security advisory was published for a critical vulnerability affecting Nginx UI. Nginx UI is an open-source web interface to centralize the management of Nginx configurations and SSL certificates. The critical vulnerability, CVE-2026-33032, was reported in early March by Pluto Security researcher Yotam Perkal and subsequently patched on March 15, 2026. That same day, Pluto Security published a technical blog post with some vulnerability details.CVE-2026-33032 is a missing authentication bug with a CVSS score of 9.8; as a result of missing authentication controls, an unauthenticated attacker can access a Model Context Protocol (MCP) server that can perform privileged operations on managed Nginx web servers. Systems are vulnerable in the default IP allowlist configuration, which allows any remote IP to access MCP functionality. Exploitation results in full attacker control of the managed Nginx service. According to a Recorded Future report published on April 13, 2026, exploitation of CVE-2026-33032 in the wild has begun.Mitigation guidanceOrganizations running Nginx UI should prioritize updating on an urgent basis to remediate CVE-2026-33032. Additionally, to reduce exposure to future vulnerabilities affecting Nginx UI, defenders should ensure that network access to the Nginx UI management interface is strictly limited to those who must have it.Affected versions:According to the finder’s blog post, version 2.3.3 and prior are affected, and the fix is present in version 2.3.4 and later. However the official CVE record states that versions 2.3.5 and below are affected. This discrepancy in affected version numbers makes it unclear as to the correct version required to remediate CVE-2026-33032. To avoid this version number discrepancy, users are advised to update to the very latest version (2.3.6).Please read the vendor advisory for the latest guidance.Rapid7 customersExposure Command, InsightVM, and NexposeExposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-33032 with unauthenticated checks expected to be available in the April 17 content release.UpdatesApril 16, 2026: Initial publication.Article TagsEmerging ThreatsEmergent Threat ResponseRapid7Author PostsRelated blog postsVulnerabilities and ExploitsFortiGate CVE-2025-59718 Exploitation: Incident Response FindingsEric Carey, Olivia Henderson +1Threat ResearchThe Attack Cycle is Accelerating: Announcing the Rapid7 2026 Global Threat Landscape ReportRapid7 LabsThreat ResearchIntroducing Hacktics and Telemetry, a Podcast from Rapid7 LabsDouglas McKee, Director, Vulnerability IntelligenceVulnerabilities and ExploitsCritical Cisco Catalyst Vulnerability Exploited in the wild (CVE-2026-20127)Rapid7 LabsSee all posts