Critical Nginx-UI MCP Flaw Actively Exploited in the Wild
A critical authentication bypass in nginx-ui, tracked as CVE-2026-33032 with a CVSS score of 9.8, is being actively exploited, allowing unauthenticated attackers to fully compromise nginx servers via a single API request.
A critical authentication bypass vulnerability in nginx-ui, a popular open-source web interface for managing nginx servers, is being actively exploited in the wild. The flaw, tracked as CVE-2026-33032 and carrying a CVSS score of 9.8, allows any network-adjacent attacker to take full control of an nginx server through a single unauthenticated API request.
The vulnerability was discovered by Pluto Security and has been added to VulnCheck's Known Exploited Vulnerabilities (KEV) list. Recorded Future's Insikt Group also flagged it in a recent report as one of 31 high-impact vulnerabilities exploited during March 2026, assigning it a risk score of 94 out of 100.
The root cause lies in a missing authentication check on the `/mcp_message` endpoint. Nginx-ui recently added support for the Model Context Protocol (MCP), which splits communication across two HTTP endpoints. The `/mcp` endpoint, used for establishing connections, carries both IP whitelisting and authentication middleware. However, `/mcp_message`, the endpoint that processes every tool invocation including configuration writes and server restarts, shipped without the authentication check.
That omission exposes 12 MCP tools to unauthenticated callers. Seven of these are destructive, enabling attackers to inject nginx configurations, reload the server, and intercept all traffic passing through it. The remaining five provide reconnaissance capabilities such as reading existing configs and mapping backend infrastructure.
Pluto Security's researchers used Shodan to identify over 2,600 publicly reachable nginx-ui instances across cloud providers including Alibaba Cloud, Oracle, and Tencent. Most were running on the default port 9000. The tool's Docker image has been pulled more than 430,000 times, suggesting a much larger population of potentially vulnerable deployments sitting behind firewalls.
The nginx-ui maintainers released a patch in version 2.3.4 just one day after disclosure. The fix amounted to 27 characters of added code, along with a regression test to prevent the same oversight from recurring. Organizations running nginx-ui with MCP enabled should update to version 2.3.4 or later, disable MCP functionality if patching is not possible, restrict network access to the management interface, and review server logs and configuration directories for unauthorized changes.
This is the second MCP vulnerability Pluto Security has disclosed in recent weeks, following MCPwnfluence, an SSRF-to-RCE chain in the Atlassian MCP server. Both cases expose a recurring weakness: when MCP is connected to existing applications, its endpoints often inherit full capabilities without inheriting any of the security controls.