SB2026041626 - Missing authentication in Nginx UI MCP

Description

This security bulletin contains information about 1 vulnerability.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-33032)

CWE-ID: CWE-306 - Missing Authentication for Critical Function

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber

The vulnerability allows a remote attacker to take control of the nginx service, disclose sensitive configuration information, and cause a denial of service.

The vulnerability exists due to missing authentication for critical functionality in the /mcp_message endpoint when handling MCP tool invocation requests. A remote attacker can send specially crafted HTTP requests to invoke MCP tools without authentication to take control of the nginx service, disclose sensitive configuration information, and cause a denial of service.

The issue occurs because /mcp_message routes to the same MCP handler as /mcp, while the default empty IP whitelist is treated as allow-all.

Remediation

Install update from vendor's website.

References

• https://github.com/advisories/GHSA-h6c2-x2m2-mwhf
• https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf