Overview.

CVE-2026-33032 is an authentication bypass vulnerability discovered in the Nginx UI.
the vulnerability allows access to the MCP endpoint with an unauthenticated request, creating conditions that could allow remote control of Nginx configuration or behavior.

Impact and risk.

affected products are Nginx UI version 2.3.5 and earlier.
through authentication bypass, a threat actor could cause severe security impact, including remote command execution, configuration changes, and service disruption.

Resolution Status and Advisory.

the referenced release tag (v2.3.6) indicates that a patch is included.
affected environments should update to the latest version with the patch.
note: You should check the security advisory and release notes on the site for the patch version and changes applied.

References.

links to published advisories and release pages have been provided as references.[1][2][3][4].