CVE-2026-33032 is a CVSS 9.8 authentication bypass in Nginx UI, a third-party web-based management interface for Nginx servers, with active in-the-wild exploitation reported across multiple credible secondary sources. Unauthenticated attackers can achieve full server compromise including remote command execution. Any instance of Nginx UI exposed to the internet or untrusted networks must be isolated immediately.