A critical authentication bypass vulnerability in nginx-ui, the popular open-source web-based Nginx management interface, is now actively exploited in the wild, allowing unauthenticated attackers to seize complete control of Nginx servers with just two crafted HTTP requests.
Tracked as CVE-2026-33032 with a maximum severity CVSS score of 9.8, Pluto Security researcher Yotam Perkal discovered the flaw, which has been dubbed MCPwn.
Threat intelligence firms VulnCheck and Recorded Future’s Insikt Group independently confirmed active exploitation beginning as early as March 2026, with the flaw now listed among 31 vulnerabilities actively weaponized by threat actors last month.
nginx-ui is a widely deployed, web-based graphical interface for managing Nginx web server configurations. It simplifies server administration for developers and sysadmins by offering a clean dashboard for editing config files, managing virtual hosts, and monitoring service status.
As of this writing, Shodan data reveals approximately 2,689 publicly exposed instances on the internet, with the highest concentrations located in China, the United States, Indonesia, Germany, and Hong Kong.
The tool’s broad deployment across production infrastructure makes this vulnerability especially dangerous; a single unpatched instance can hand attackers the keys to an entire web server environment.
The flaw exists within nginx-ui’s Model Context Protocol (MCP) integration, which exposes two HTTP endpoints: /mcp and /mcp_message.
While the /mcp endpoint correctly enforces both IP allowlisting and authentication via the AuthRequired() middleware, the /mcp_message endpoint enforces only IP allowlisting with a critical implementation flaw: the default IP allowlist is empty, which the middleware silently interprets as “allow all.”
The consequence is severe and straightforward: any network-adjacent attacker can run all MCP tools on the server without providing any credentials.
This includes restarting Nginx, creating, modifying, or deleting Nginx configuration files, and triggering automatic configuration reloads, effectively handing over complete control of the Nginx service.
As researcher Perkal succinctly described the design failure: “When you bolt MCP onto an existing application, the MCP endpoints inherit the application’s full capabilities but not necessarily its security controls. The result is a backdoor that bypasses every authentication mechanism the application was carefully built with.”
Attack Flow
Exploitation of CVE-2026-33032 requires only two HTTP requests and can be completed in seconds:
- Step 1 — Session Establishment: The attacker sends an HTTP GET request to the
/mcpendpoint to establish a Server-Sent Events (SSE) session and obtain a valid session ID. No credentials are needed at this stage. - Step 2 — Unauthenticated Tool Invocation: Using the obtained session ID, the attacker sends an HTTP POST request to the
/mcp_messageendpoint and invokes any available MCP tool, no JWT, no cookies, no nNosecret, no authentication tokens of any kind are required.
Once inside, threat actors can modify Nginx configuration files to intercept all proxied traffic, harvest administrator credentials, redirect traffic to attacker-controlled infrastructure, and achieve persistent access across the server environment.
The attack requires no special tooling or advanced exploit chain and leaves minimal forensic traces if defensive logging is not in place.
Patch and Mitigations
The nginx-ui maintainers addressed CVE-2026-33032 in version 2.3.4, released on March 15, 2026. All organizations running nginx-ui should treat this as an emergency and upgrade immediately.
For environments where an immediate upgrade is not operationally feasible, two workarounds are available:
- Add
middleware.AuthRequired()to the/mcp_messageendpoint to force authentication on all MCP tool invocations. - Change the IP allowlist default behavior from “allow-all” to “deny-all,” restricting access to explicitly trusted IP addresses only.
Pluto Security has issued an urgent advisory: “Organizations running nginx-ui should treat this as an emergency: update to version 2.3.4 immediately, or disable MCP functionality and restrict network access as an interim measure.” VulnCheck has also formally added CVE-2026-33032 to its Known Exploited Vulnerabilities (KEV) list.
The Wider MCP Security Crisis
CVE-2026-33032 does not exist in isolation. It follows closely on the heels of MCPwnfluence, a chained exploit chain targeting the Atlassian MCP server (mBcp-atlassian), disclosed by Pluto Security in late February 2026.
Two vulnerabilities power the MCPwnfluence attack chain:
- CVE-2026-27825 (CVSS 9.1): An arbitrary file write vulnerability arising from missing directory confinement and inadequate path traversal validation in Confluence attachment download tools, enabling remote code execution by overwriting critical system files such as
~/.bashrcor~/.ssh/authorized_keys. - CVE-2026-27826 (CVSS 8.2): A Server-Side Request Forgery (SSRF) vulnerability caused by unvalidated Atlassian base URL headers in middleware, allowing attackers to redirect the server to attacker-controlled infrastructure.
When chained together on a local network, these flaws allow a fully unauthenticated attacker to initialize an MCP session, redirect the server to an attacker’s machine, upload a malicious attachment, and achieve full unauthenticated Remote Code Execution (RCE). Fixes were released in mcp-atlassian version 0.17.0.
MCP as an Emerging Attack Surface
Both MCPwn and MCPwnfluence highlight a dangerous pattern emerging across the AI and automation ecosystem: MCP integrations are being grafted onto applications that were never designed to accommodate them, often inheriting privileged capabilities while shedding security controls.
As AI-driven automation pipelines proliferate and MCP adoption accelerates across enterprise tooling, security teams must audit every MCP endpoint as a high-risk attack surface, treating unauthenticated access to any tool-invocation endpoint as a critical misconfiguration by default.
FAQ
Q1: What is CVE-2026-33032?
CVE-2026-33032 is a CVSS 9.8 authentication bypass in nginx-ui’s /mcp_message endpoint that allows unauthenticated attackers to take over Nginx servers fully.
Q2: Which versions of nginx-ui are affected?
All nginx-ui versions up to and including 2.3.3 are vulnerable; the issue is patched in version 2.3.4, released March 15, 2026.
Q3: Is CVE-2026-33032 actively exploited?
Yes, Recorded Future, VulnCheck, and Field Effect have all confirmed active exploitation of CVE-2026-33032 in the wild since at least March 2026.
Q4: What are the recommended mitigations if patching immediately is not possible?
Add middleware.AuthRequired() to the /mcp_message endpoint or switch the IP allowlist default from “allow-all” to “deny-all” to block unauthenticated access.
About the Author
