CVE-2026-33032, dubbed MCPwn, is a CVSS 9.8 authentication bypass in nginx-ui's MCP integration that lets any attacker on the internet restart your Nginx server, rewrite your configs, and intercept all traffic -- in two HTTP requests, no credentials required. Roughly 2,700 instances are exposed.