CVE-2026-33032 is a CVSS 9.8 authentication bypass in Nginx UI, a third-party open-source web management panel for Nginx. Active exploitation is confirmed by multiple secondary security outlets. Any internet-exposed Nginx UI instance should be treated as potentially compromised until access is restricted and the patch is confirmed applied.