Nginx-ui Vulnerability Enables Full Server Takeover

EXECUTIVE SUMMARY:

Multiple security vulnerabilities have been identified in the nginx-ui web-based Nginx management tool, specifically affecting versions prior to 2.3.3. These vulnerabilities include authentication bypass and remote code execution (RCE) types, which can be exploited to take full control of the Nginx service. This poses a significant business risk as threat actors can seize control of the service, modify configurations, and intercept traffic. If exploited, this could lead to data breaches, unauthorized access to sensitive information, and ultimately, a complete takeover of the Nginx server, resulting in significant financial losses and reputational damage.[emaillocker id="1283"]

CVE-2026-33032 with a CVSS score of 9.8 – This vulnerability is an authentication bypass that enables threat actors to seize control of the Nginx service by exploiting a session establishment step and a separate vulnerability in versions prior to 2.3.3, which exposes encryption keys required to decrypt backups without authentication. An attacker can use the session ID obtained from the /mcp endpoint to invoke MCP tools and modify Nginx configuration files and reload the server without further authentication.

CVE-2026-27825 with a CVSS score of 9.1 – This vulnerability is a remote code execution flaw that enables an attacker on the same local network to run arbitrary code on a vulnerable machine without requiring any authentication, which can be chained with CVE-2026-27826 to achieve full RCE.

The active exploitation of these vulnerabilities poses a significant risk to unpatched deployments, with approximately 2,600 publicly reachable nginx-ui instances.

RECOMMENDATION:

We recommend you to update nginx-ui to version 2.3.4.

REFERENCES:

The following reports contain further technical details:
https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html