Nginx UI - Broken Access Control

CVE-2026-33032

Early Release

Description

Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.

Severity

Critical

CVSS Score

9.8

Exploit Probability

Affected Product

nginx-ui

Published Date

April 16, 2026

Template Author

dhiyaneshdk

CVE-2026-33032.yaml

id: CVE-2026-33032

info:
  name: Nginx UI - Broken Access Control
  author: DhiyaneshDk
  severity: critical
  description: |
    Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.
  impact: |
    An unauthenticated attacker with a valid MCP session ID can inject arbitrary nginx configurations,create reverse proxies for credential theft, and achieve remote code execution via nginx config primitives.
  remediation: Upgrade to nginx-ui v2.3.4 or later which adds AuthRequired() to /mcp_message.
  reference:
    - https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
    - https://github.com/0xJacky/nginx-ui/commit/413dc631
    - https://nvd.nist.gov/vuln/detail/CVE-2026-33032
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-33032
    epss-score: 0.04973
    epss-percentile: 0.89701
    cwe-id: CWE-306
  metadata:
    verified: true
    max-request: 1
    product: nginx-ui
    shodan-query: http.title:"Nginx UI"
    fofa-query: title="Nginx UI"
  tags: cve,cve2026,nginx-ui,mcp,unauth,misconfig,vkev

variables:
  string: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /mcp_message HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"{{string}}","version":"1.0"}},"id":1}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"jsonrpc":'
          - '"message":'
          - '"id":'
        condition: and

      - type: status
        status:
          - 400
# digest: 4a0a0047304502210099bb5a353408b17286a66234748d77f893bea4edea8d33ef541e846fa2b4cc460220106766f905c17a1d5b67adcd511e84290c269e02623c67e907cbd64df2447b0a:922c64590222798bb761d5b6d8e72950

9.8Score

CVSS Metrics

CVSS Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVE ID:

cve-2026-33032

CWE ID:

cwe-306

References

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf https://github.com/0xJacky/nginx-ui/commit/413dc631 https://nvd.nist.gov/vuln/detail/CVE-2026-33032

Remediation Steps

Upgrade to nginx-ui v2.3.4 or later which adds AuthRequired() to /mcp_message.

id: CVE-2026-33032

info:
  name: Nginx UI - Broken Access Control
  author: DhiyaneshDk
  severity: critical
  description: |
    Network attackers can fully control nginx service, including config modification and service restart, leading to complete service takeover.
  impact: |
    An unauthenticated attacker with a valid MCP session ID can inject arbitrary nginx configurations,create reverse proxies for credential theft, and achieve remote code execution via nginx config primitives.
  remediation: Upgrade to nginx-ui v2.3.4 or later which adds AuthRequired() to /mcp_message.
  reference:
    - https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
    - https://github.com/0xJacky/nginx-ui/commit/413dc631
    - https://nvd.nist.gov/vuln/detail/CVE-2026-33032
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2026-33032
    epss-score: 0.04973
    epss-percentile: 0.89701
    cwe-id: CWE-306
  metadata:
    verified: true
    max-request: 1
    product: nginx-ui
    shodan-query: http.title:"Nginx UI"
    fofa-query: title="Nginx UI"
  tags: cve,cve2026,nginx-ui,mcp,unauth,misconfig,vkev

variables:
  string: "{{to_lower(rand_text_alpha(5))}}"

http:
  - raw:
      - |
        POST /mcp_message HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/json

        {"jsonrpc":"2.0","method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"{{string}}","version":"1.0"}},"id":1}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{"jsonrpc":'
          - '"message":'
          - '"id":'
        condition: and

      - type: status
        status:
          - 400
# digest: 4a0a0047304502210099bb5a353408b17286a66234748d77f893bea4edea8d33ef541e846fa2b4cc460220106766f905c17a1d5b67adcd511e84290c269e02623c67e907cbd64df2447b0a:922c64590222798bb761d5b6d8e72950

Nginx UI - Broken Access Control

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps

Nginx UI - Broken Access Control

Description

Severity

CVSS Score

Exploit Probability

Affected Product

Published Date

Template Author

Nuclei Template

CVSS Metrics

References

Remediation Steps