VDB
GO-2026-4904
GO-2026-4904
PUBLISHED
nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover in github.com/0xJacky/Nginx-UI
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| github.com | 0xJacky/Nginx-UI | 0, 0 |
Timeline
- Apr 2, 2026 CVE Published
- Apr 2, 2026 CVE Updated
- May 1, 2026 Security Advisory
References
- https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-33032 advisory
- https://github.com/0xJacky/nginx-ui/blob/f89f8ff8223478988f7ed49bf1d3dbf2de44bf92/internal/middleware/ip_whitelist.go#L11-L26 url
- https://github.com/0xJacky/nginx-ui/blob/f89f8ff8223478988f7ed49bf1d3dbf2de44bf92/mcp/router.go#L9-L17 url