A critical security flaw in nginx-ui — a widely used open-source web interface for managing Nginx web server configurations — is under active exploitation. The vulnerability, tracked as CVE-2026-33032 with a CVSS score of 9.8, allows unauthenticated attackers to bypass the login mechanism entirely and gain full administrative access to the Nginx management panel.
Vulnerability Details
CVE-2026-33032 is an authentication bypass vulnerability affecting nginx-ui versions prior to 2.1.4. The flaw exists in the API authentication middleware, which fails to validate JWT tokens properly under specific header injection conditions.
| Field | Detail |
|---|---|
| CVE | CVE-2026-33032 |
| CVSS Score | 9.8 (Critical) |
| Affected Versions | nginx-ui < 2.1.4 |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Patch Available | Yes — nginx-ui v2.1.4 |
An attacker with network access to the nginx-ui management port (default: 9000/TCP) can:
- Send a crafted HTTP request with a malformed
Authorizationheader - Bypass JWT validation and obtain an authenticated session
- Gain full admin access to the nginx-ui dashboard
- Modify Nginx virtual host configurations, upload files, or execute system commands via the built-in terminal
Exploitation in the Wild
The Hacker News reports that exploitation of CVE-2026-33032 began within days of public disclosure. Observed attack patterns include:
- Mass scanning for nginx-ui instances exposed on ports 9000 and 8080
- Web shell deployment via Nginx
try_filesmanipulation to serve attacker-controlled PHP/ASPX files - Reverse shell implantation through nginx-ui's built-in configuration editor
- Credential harvesting from nginx-ui's stored basic auth configurations
CISA added CVE-2026-33032 to the Known Exploited Vulnerabilities (KEV) catalog on April 16, 2026, requiring federal agencies to patch by May 2, 2026.
Attack Surface
nginx-ui is particularly popular among:
- Self-hosted web server administrators managing multiple virtual hosts
- VPS and dedicated server operators who prefer a GUI over CLI nginx management
- Docker-based deployments using the
uozi/nginx-uicontainer image
Shodan and Censys scans reveal approximately 14,000 nginx-ui instances publicly accessible on the internet. The majority of these remain unpatched as of publication.
Remediation
Immediate action required:
# Check installed version
nginx-ui --version
# Update via Docker (if containerized)
docker pull uozi/nginx-ui:latest
docker stop nginx-ui && docker rm nginx-ui
# Redeploy with updated image
# Update via package manager or binary replacement
# Download v2.1.4+ from GitHub releasesNetwork-level mitigations (if patching is delayed):
- Restrict nginx-ui management port access to trusted IP ranges via firewall rules
- Place nginx-ui behind a VPN or bastion host
- Disable nginx-ui completely if not actively used
- Monitor for unauthorized Nginx configuration changes
Detection
Look for these indicators of compromise:
- Unexpected nginx configuration file modifications in
/etc/nginx/ - New virtual host configs serving files from
/tmp/or world-writable directories - Nginx worker processes spawning unexpected child processes
- HTTP requests to the nginx-ui API (
/api/) from external IPs without prior authentication
If nginx-ui is running in your environment, treat any unexplained configuration change as a potential compromise indicator and audit access logs immediately.
Broader Context
This vulnerability follows a pattern of management interface flaws in self-hosted web tooling — similar to recent exploitation of Webmin, Netdata, and phpMyAdmin vulnerabilities. Admin panels that expose system-level control with insufficient authentication represent high-value targets for initial access brokers and ransomware operators looking for pivot points into infrastructure.
Patch nginx-ui to v2.1.4 or later without delay.