CVE- 2026-33032 describes a severe vulnerability in nginx-ui that enables unauthenticated access to Nginx servers. The flaw stems from the /mcp_message endpoint, which relies only on IP whitelisting, and with the default whitelist effectively allowing all, attackers can access the service without authentication and seize control.
The nginx-ui MCP integration exposes two HTTP endpoints, /mcp and /mcp_message; while /mcp requires IP whitelisting and authentication, /mcp_message does not, leaving it open to exploitation. Yotam Perkal of Pluto Security disclosed the issue, noting it can be exploited in seconds with just two HTTP requests: POST /mcp_message?sessionId=xxx to invoke any tool, then GET /mcp?node_secret=xxx to establish an SSE session.
A single unauthenticated request can let attackers fully compromise nginx-ui, including reading configs, intercepting traffic, stealing tokens and secrets, and potentially triggering config reloads or a complete service takeover. The flaw was fixed in nginx-ui version 2.3.4 by adding a missing authentication check to the /mcp_message endpoint, with a regression test ensuring both endpoints require authentication; v2.3.3 remains the last vulnerable release.