SB2026041626 - Missing authentication in Nginx UI MCP

Description

This security bulletin contains information about 1 security vulnerability.

1) Missing Authentication for Critical Function (CVE-ID: CVE-2026-33032)

The vulnerability allows a remote attacker to take control of the nginx service, disclose sensitive configuration information, and cause a denial of service.

The vulnerability exists due to missing authentication for critical functionality in the /mcp_message endpoint when handling MCP tool invocation requests. A remote attacker can send specially crafted HTTP requests to invoke MCP tools without authentication to take control of the nginx service, disclose sensitive configuration information, and cause a denial of service.

The issue occurs because /mcp_message routes to the same MCP handler as /mcp, while the default empty IP whitelist is treated as allow-all.

Remediation

Install update from vendor's website.

References

• https://github.com/advisories/GHSA-h6c2-x2m2-mwhf
• https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf