—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Authentication Bypass Vulnerability in Nginx UI

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Nginx UI version prior to 2.3.5.

Overview

A critical vulnerability has been reported in the Nginx UI that could allow a remote attacker to bypass security restrictions on the targeted system.

Target Audience:

Organizations and individuals running affected versions of Nginx UI.

Risk Assessment:

High risk of unauthorized access.

Impact Assessment:

Potential for system instability, data theft.

Description

NGINX UI is a web-based management interface that allows users to configure, monitor, and control NGINX services through a graphical dashboard instead of manual configuration files.

A critical vulnerability exist in Nginx UI due to missing authentication for critical function in Model Context Protocol (MCP) Endpoint. A remote attacker could exploit this vulnerability by sending specially crafted requests to the ‘/mcp_message’ endpoint without any authentication headers or tokens.

Successful exploitation of this vulnerability could allow a remote attacker to bypass security restrictions on the targeted system.

Solution

Apply appropriate updates as mentioned by the vendor:

https://www.bleepingcomputer.com/news/security/critical-nginx-ui-auth-bypass-flaw-now-actively-exploited-in-the-wild/

References

Bleeping Computer

https://www.bleepingcomputer.com/news/security/critical-nginx-ui-auth-bypass-flaw-now-actively-exploited-in-the-wild/

CVE Name

CVE-2026-33032

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmnjZM0ACgkQ3jCgcSdc

ys+DTw//XBUV3uOk3vvW7adbJuiEhlLEmW2jBfoxSwavws3mYnbEOdtJOFbvdtPJ

/+Rpc5gIIJzXCIjxnYuYc2qNX9JSntjBmwxJvLe4wQjslTK331FJhAnerFnkuDi/

ghRKTGUr4VgMJk60lzLkF1Ffdxa3BQg4Ch7WkC9jq20dWhj+BqhxcXWVBN4D7UUm

iBp7fDZojd0lk3CCR26uRObVk1PNMbwV0zhhSkD4AGL4Ci3FZiGZmYbyNqjEhRuQ

uizj6fnmujGnXjWgA9m+G7oXpcSCdv610AJrjzeGbGsPx9+Cv+8U7leNYVI42CxM

+lu41WxfdONsgia/VZ270xjdtAzh/tZ35zb6oNiiH1dZOHmO3Cs1B2Xu6XGolh6n

lfzMoLen0kgSEJHAlDf2hHr8IXIirpFTTAdlGzsXxdms6ACpod2+2Zr/J83MDkW5

5EK6EWtxIvdS8DVVQ9708oSwoMekltS7LLaVQXC6+m/bZMHpllTK9FCTXtYavPqp

UP4CAGc+VqBFNb5c8pTMun+fNaVNYE8Tuvo6hHo2F4Kyks6iMNsQZpBTIW8eXIW3

+kBkqiWx1GbMKSPaUdH4k+/tNFnEuIGxFB9Mvv369d/J368pstrKt1EGbWxF+Z/w

4xPFRzOiMjJC9RnCE/9FT0axSGd+4ZSEYwdfbDOPPhHWgMO8ZH0=

=XQjQ

—–END PGP SIGNATURE—–