What is CVE-2026-33032?

CVE-2026-33032 is a security vulnerability identified in nginx-ui. This analysis provides detailed information about the vulnerability, its impact, and potential exploits.

Is there a PoC for CVE-2026-33032?

This security analysis examines the vulnerability in detail. Review the analysis findings for exploit potential and proof-of-concept information related to CVE-2026-33032.

How can I protect against CVE-2026-33032?

Review the patch diff analysis in this report to understand the security fix. Updating to the patched version is recommended to mitigate CVE-2026-33032.

REPORT / 01

Analysis Report · nginx-ui v2.3.3 → v2.3.4 — CVE-2026-33032

Shared security patch analysis results

mode patchdiff ai copilot oswe-vscode-prime

02 · Lifecycle actions cancel · resume · skip · regenerate

03 · Share this analysis copy link · embed report

03 · CVE Security Analysis & Writeups ai-generated · per cve

Comprehensive security analysis generated by AI for each confirmed CVE match. Click on a CVE to view the detailed writeup including vulnerability background, technical details, patch analysis, and PoC guide.

CVE-2026-33032 NVD

AI-Generated Analysis

## 1. Vulnerability Background

What is this vulnerability?

- CVE-2026-33032 is an authentication/authorization bypass in Nginx UI’s MCP (Model Context Protocol) integration.
- The component exposes two HTTP endpoints: `/mcp` and `/mcp_message`.
- `/mcp` was protected by both IP whitelisting and `AuthRequired()` middleware.
- `/mcp_message` was only protected by IP whitelisting.

Why is it critical/important?

- The default IP whitelist is empty, and the whitelist middleware treats an empty list as “allow all”.
- This means a remote attacker can call `/mcp_message` without authentication on default installations.
- The MCP endpoint can invoke administrative operations such as restarting nginx, creating/modifying/deleting configuration files, and triggering config reloads.
- This results in complete nginx service takeover and arbitrary configuration manipulation.

What systems/versions are affected?

- Nginx UI versions 2.3.5 and prior.
- Any deployment using the default MCP configuration or with an empty whitelist.
- Network-exposed installations are especially at risk.

## 2. Technical Details

Root cause analysis

- The root cause is inconsistent middleware protection between two related MCP endpoints.
- In `mcp/router.go`, `/mcp_message` was registered with only `middleware.IPWhiteList()`.
- The `AuthRequired()` middleware was omitted, unlike `/mcp`.
- The IP whitelist middleware has a design flaw: an empty whitelist is treated as permitting all addresses rather than denying all.

Attack vector and exploitation conditions

- An attacker needs only network access to the nginx-ui instance.
- If the default ACL is in use, `/mcp_message` is reachable without credentials.
- The attacker sends HTTP requests to `/mcp_message` with MCP payloads.
- Because the handler forwards directly to `mcp.ServeHTTP`, any MCP tool can be invoked.

Security implications

- Unauthorized administrative access to nginx UI.
- Ability to restart nginx or trigger config reloads.
- Ability to create, modify, or delete nginx configuration files.
- Potential for persistent compromise, service disruption, and further lateral movement.
- The vulnerability is effectively a complete takeover of the managed nginx service.

## 3. Patch Analysis

What code changes were made?

- `mcp/router.go`
  - Old registration: `r.Any("/mcp_message", middleware.IPWhiteList(), func(c *gin.Context) { mcp.ServeHTTP(c) })`
  - Fixed registration: `r.Any("/mcp_message", middleware.IPWhiteList(), middleware.AuthRequired(), func(c *gin.Context) { mcp.ServeHTTP(c) })`
- `mcp/router_test.go`
  - Added regression coverage that sets `settings.AuthSettings.IPWhiteList = nil`.
  - Verifies POST requests to both `/mcp` and `/mcp_message` return HTTP 403 with `{"message":"Authorization failed"}`.
- `mcp/config/config_add.go`
  - Replaced direct path construction and directory check with `config.ResolveConfPath`.
  - Both base directory and target file name are resolved before writing.

How do these changes fix the vulnerability?

- Adding `middleware.AuthRequired()` to `/mcp_message` enforces authentication on the previously unprotected endpoint.
- The regression test ensures this behavior is preserved even when the IP whitelist is nil/empty.
- The config path resolution change reduces the risk of path traversal or directory escape when writing configuration files.

Security improvements introduced

- Consistent authorization policy across MCP endpoints.
- Regression coverage for authentication enforcement under empty whitelist conditions.
- Stronger path resolution in config write operations.
- Reduced likelihood of an attacker bypassing controls via malformed file paths.

## 4. Proof of Concept (PoC) Guide

Prerequisites for exploitation

- Nginx UI version 2.3.5 or earlier.
- Network access to the nginx-ui service.
- Default or empty IP whitelist configuration.
- No additional external access controls protecting `/mcp_message`.

Step-by-step exploitation approach

1. Identify the nginx-ui base URL.
2. Send an unauthenticated HTTP request to `/mcp_message`.
3. Observe the response and behavior.
4. If exploitation is intended, send a valid MCP payload to trigger an administrative action, such as reload or config write.

Example detection request:

- `curl -i http://<host>/mcp_message`

Expected behavior vs exploited behavior

- Expected behavior after patch:
  - `/mcp_message` returns HTTP 403 or equivalent authorization failure without valid auth.
  - `/mcp` and `/mcp_message` both enforce authentication.
- Exploited behavior on vulnerable installations:
  - `/mcp_message` accepts requests without credentials.
  - An attacker can invoke MCP functionality directly.

How to verify the vulnerability exists

- Confirm `/mcp` requires auth by sending an unauthenticated request and seeing a 403 or auth challenge.
- Confirm `/mcp_message` does not require auth by sending an unauthenticated request and receiving a successful response or different behavior.
- A stronger verification is to trigger a harmless MCP action and observe whether it succeeds without authentication.
- Reviewing source code or configuration for `r.Any("/mcp_message", middleware.IPWhiteList(), ...)` is a direct confirmation.

## 5. Recommendations

Mitigation strategies

- Apply the patch or upgrade to a fixed version as soon as available.
- If patching is not immediately possible:
  - Block access to `/mcp_message` at the network edge.
  - Restrict access to nginx-ui to trusted hosts only.
  - Configure a non-empty IP whitelist and validate it behaves as deny-by-default.
  - Disable or isolate MCP integration if not required.

Detection methods

- Monitor web server logs for requests to `/mcp_message`.
- Look for unexpected POST/PUT/DELETE activity against MCP endpoints.
- Alert on successful access to `/mcp_message` without authentication.
- Compare responses for `/mcp` and `/mcp_message`; a discrepancy is suspicious.

Best practices to prevent similar issues

- Enforce consistent middleware and authorization chains across all related endpoints.
- Treat empty whitelists as deny-by-default, not allow-all.
- Add regression tests for authentication behavior, especially in default or edge-case configurations.
- Use canonical path resolution for file system operations to prevent traversal or directory escape.
- Conduct code reviews focused on middleware ordering and security policy enforcement.

05 · Findings filter · search · paginate

Showing 0 to 0 of 0 results

mcp/config/config_add.go AI: 1 vulnerabilities 1 true positive(s) CVE-2026-33032

--- cache/nginx-ui_v2.3.3/mcp/config/config_add.go	2026-04-19 12:37:20.691130313 +0000+++ cache/nginx-ui_v2.3.4/mcp/config/config_add.go	2026-04-19 12:37:22.311230867 +0000@@ -5,7 +5,6 @@ 	"encoding/json" 	"errors" 	"os"-	"path/filepath"  	"github.com/0xJacky/Nginx-UI/internal/config" 	"github.com/0xJacky/Nginx-UI/internal/helper"@@ -48,10 +47,14 @@ 		} 	} -	dir := nginx.GetConfPath(baseDir)-	path := filepath.Join(dir, name)-	if !helper.IsUnderDirectory(path, nginx.GetConfPath()) {-		return nil, config.ErrPathIsNotUnderTheNginxConfDir+	dir, err := config.ResolveConfPath(baseDir)+	if err != nil {+		return nil, err+	}++	path, err := config.ResolveConfPath(baseDir, name)+	if err != nil {+		return nil, err 	}  	if !overwrite && helper.FileExists(path) {@@ -66,7 +69,7 @@ 		} 	} -	err := os.WriteFile(path, []byte(content), 0644)+	err = os.WriteFile(path, []byte(content), 0644) 	if err != nil { 		return nil, err 	}

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Path Traversal mcp/config/config_add.go lines 48-69
Old Code
	dir := nginx.GetConfPath(baseDir)
	path := filepath.Join(dir, name)
	if !helper.IsUnderDirectory(path, nginx.GetConfPath()) {
		return nil, config.ErrPathIsNotUnderTheNginxConfDir
	}
	err := os.WriteFile(path, []byte(content), 0644)
Fixed Code
	dir, err := config.ResolveConfPath(baseDir)
	if err != nil {
		return nil, err
	}
	path, err := config.ResolveConfPath(baseDir, name)
	if err != nil {
		return nil, err
	}
	err = os.WriteFile(path, []byte(content), 0644)

CVE Analysis Results:

CVE-2026-33032: Yes

View CVE Description

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

mcp/router.go AI: 1 vulnerabilities 1 true positive(s) CVE-2026-33032

--- cache/nginx-ui_v2.3.3/mcp/router.go	2026-04-19 12:37:20.691130313 +0000+++ cache/nginx-ui_v2.3.4/mcp/router.go	2026-04-19 12:37:22.311230867 +0000@@ -11,7 +11,7 @@ 		func(c *gin.Context) { 			mcp.ServeHTTP(c) 		})-	r.Any("/mcp_message", middleware.IPWhiteList(),+	r.Any("/mcp_message", middleware.IPWhiteList(), middleware.AuthRequired(), 		func(c *gin.Context) { 			mcp.ServeHTTP(c) 		})

AI Analysis

Vulnerability Existed: yes
TRUE POSITIVE
Insufficient Authentication / Authorization Bypass mcp/router.go [11-13]
Old Code
    r.Any("/mcp_message", middleware.IPWhiteList(),
        func(c *gin.Context) {
            mcp.ServeHTTP(c)
        })
Fixed Code
    r.Any("/mcp_message", middleware.IPWhiteList(), middleware.AuthRequired(),
        func(c *gin.Context) {
            mcp.ServeHTTP(c)
        })

CVE Analysis Results:

CVE-2026-33032: Yes

View CVE Description

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

mcp/router_test.go AI: Not Sure 1 false positive(s) CVE-2026-33032

--- /dev/null+++ cache/nginx-ui_v2.3.4/mcp/router_test.go@@ -0,0 +1,35 @@+package mcp++import (+	"net/http"+	"net/http/httptest"+	"testing"++	"github.com/0xJacky/Nginx-UI/settings"+	"github.com/gin-gonic/gin"+	"github.com/stretchr/testify/assert"+)++func TestMCPEndpointsRequireAuthentication(t *testing.T) {+	gin.SetMode(gin.TestMode)++	originalIPWhiteList := settings.AuthSettings.IPWhiteList+	t.Cleanup(func() {+		settings.AuthSettings.IPWhiteList = originalIPWhiteList+	})++	settings.AuthSettings.IPWhiteList = nil++	router := gin.New()+	InitRouter(router)++	for _, endpoint := range []string{"/mcp", "/mcp_message"} {+		req := httptest.NewRequest(http.MethodPost, endpoint, nil)+		w := httptest.NewRecorder()++		router.ServeHTTP(w, req)++		assert.Equal(t, http.StatusForbidden, w.Code)+		assert.JSONEq(t, `{"message":"Authorization failed"}`, w.Body.String())+	}+}

AI Analysis

Vulnerability Existed: not sure
FALSE POSITIVE
Missing authentication on MCP endpoints mcp/router_test.go lines 1-35
Old Code
<no existing code in this diff; the test file is newly added to detect missing auth>
Fixed Code
Added a regression test that sets `settings.AuthSettings.IPWhiteList = nil`, initializes the router, and verifies that POST requests to `/mcp` and `/mcp_message` return HTTP 403 with `{"message":"Authorization failed"}`.

CVE Analysis Results:

CVE-2026-33032: Yes

View CVE Description

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.

Showing 1 to 3 of 3 results