A recently disclosed critical security flaw affecting nginx-ui, an open source web-based Nginx management tool, is being exploited in the wild.
The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that allows an attacker to take control of the Nginx service. Codenamed MCPwn by Pluto Security.
According to an advisory released last month by the maintainers of nginx-ui, “The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message.” “/mcp requires both an IP whitelist and authentication (AuthRequired() middleware), but the /mcp_message endpoint Apply whitelist only: The default IP whitelist is empty and the middleware treats it as “allow all”.
“This means that a network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic configuration reloads, thereby achieving complete takeover of the nginx service.”
According to Pluto Security researcher Yotam Perkal, who identified and reported the flaw, this attack could facilitate a complete takeover in seconds with two requests.
An HTTP GET request to the /mcp endpoint to establish a session and retrieve the session ID. HTTP POST request to the /mcp_message endpoint to call the MCP tool without authentication using a session ID
This means that an attacker could exploit this vulnerability by sending a specially crafted HTTP request directly to the “/mcp_message” endpoint without using any authentication headers or tokens.
Successful exploitation of this flaw could allow an attacker to launch the MCP tool to modify Nginx configuration files and reload the server. Additionally, an attacker could exploit this loophole to intercept all traffic and collect administrator credentials.
Following responsible disclosure, this vulnerability was resolved in version 2.3.4, released on March 15, 2026. As a workaround, users are encouraged to add “middleware.AuthRequired()” to the “/mcp_message” endpoint to force authentication. Alternatively, we recommend changing the default behavior of the IP whitelist from “Allow all” to “Deny all.”
The disclosure comes after a report published this week by Recorded Future listed CVE-2026-33032 as one of 31 vulnerabilities actively exploited by threat actors in March 2026. At this time, we have no insight into exploit activity related to the security flaw.
“When you bolt MCP onto an existing application, the MCP endpoint inherits all of the functionality of the application, but not necessarily the security controls. This creates a backdoor that allows the application to bypass all carefully constructed authentication mechanisms,” said Perkal.
According to Shodan data, there are approximately 2,689 instances exposed on the internet, most of which are located in China, the United States, Indonesia, Germany, and Hong Kong.
“Given the approximately 2,600 publicly accessible nginx-ui instances that our researchers have identified, the risk to unpatched deployments is immediate and real,” Pluto told The Hacker News. “Organizations running nginx-ui should treat this as an emergency by immediately updating to version 2.3.4 or disabling MCP functionality to restrict network access as an interim measure.”
The news of CVE-2026-33032 follows the discovery of two security flaws in Atlassian MCP Server (‘mcp-atlassian’) that could be chained together to enable remote code execution. The flaw, tracked as CVE-2026-27825 (CVSS 9.1) and CVE-2026-27826 (CVSS 8.2) and known as MCPwnfluence, allows attackers on the same local network to execute arbitrary code on a vulnerable machine without requiring authentication.
“If you chain both vulnerabilities together, you can send requests from the LAN to the MCP.” [local area network]redirects the server to the attacker’s machine, uploads the attachment, and receives the complete unauthenticated RCE from the LAN,” Pluto Security said.
Source link
