CVE-2026-33032 is an actively exploited authentication bypass in nginx-ui, a third-party open-source web management interface for the Nginx web server. The MCP endpoint exposes all management functions without any authentication, allowing unauthenticated remote attackers to rewrite Nginx configurations, execute commands, and establish persistence. Patched versions 2.3.4 and 2.3.6 are available; approximately 2,600 internet-exposed instances remain unpatched as of mid-April 2026.