CVE-2026-33032

Description

nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI

How to fix CVE-2026-33032

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• Go/github.com/0xJacky/Nginx-UI—no fix listed
• —no fix listed

Is CVE-2026-33032 being exploited?

Moderate — EPSS is 12.7%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• from 0, <= 1.99
• from 0

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33032
• PATCHgithub.com/0xJacky/nginx-ui
• WEBgithub.com/0xJacky/nginx-ui/blob/f89f8ff8223478988f7ed49bf1d3dbf2de44bf92/internal/middleware/ip_whitelist.go#L11-L26
• WEBgithub.com/0xJacky/nginx-ui/blob/f89f8ff8223478988f7ed49bf1d3dbf2de44bf92/mcp/router.go#L9-L17