Main Vulnerability Database Exploits ID:12591 - Exploit for Missing Authentication for Critical Function in nginx-ui - CVE-2026-33032

ID:12591 - Exploit for Missing Authentication for Critical Function in nginx-ui - CVE-2026-33032

Published: April 16, 2026

Vulnerability identifier: #VU126309

Vulnerability risk: High

CVE-ID: CVE-2026-33032

CWE-ID: CWE-306

Exploitation vector: Remote access

Vulnerable software:
nginx-ui

Link to public exploit:

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf#poc

Vulnerability description

The vulnerability allows a remote attacker to take control of the nginx service, disclose sensitive configuration information, and cause a denial of service.

The vulnerability exists due to missing authentication for critical functionality in the /mcp_message endpoint when handling MCP tool invocation requests. A remote attacker can send specially crafted HTTP requests to invoke MCP tools without authentication to take control of the nginx service, disclose sensitive configuration information, and cause a denial of service.

The issue occurs because /mcp_message routes to the same MCP handler as /mcp, while the default empty IP whitelist is treated as allow-all.

Remediation

Install security update from vendor's website.

ID:12591 - Exploit for Missing Authentication for Critical Function in nginx-ui - CVE-2026-33032

Link to public exploit:

Vulnerability description

Remediation

Please verify you're human