Tech Apr 16, 2026 5 min nginx-ui MCP Endpoint Missing Authentication (CVE-2026-33032) Exploited in the Wild, No Patch Available A CVSS 9.8 authentication bypass in nginx-ui's /mcp_message endpoint lets unauthenticated remote attackers rewrite nginx configurations. Active exploitation confirmed, no patch yet. Security CVE nginx MCP Authentication Bypass Vulnerability
