Critical nginx-ui Vulnerability (CVE-2026-33032) Exposes 2,689 Instances to Full Server Takeover

A significant security vulnerability affecting nginx-ui, an open-source web-based management tool for Nginx, has been actively exploited in the wild. This flaw, identified as CVE-2026-33032, has received a critical CVSS score of 9.8, highlighting its potential for severe impact. Dubbed “MCPwn” by Pluto Security, this vulnerability allows threat actors to bypass authentication and take complete control of the Nginx service.

Technical Overview of the Vulnerability

The nginx-ui integrates the Model Context Protocol (MCP), which exposes two HTTP endpoints: /mcp and /mcp_message. According to an advisory released by the maintainers of nginx-ui, the /mcp endpoint requires both IP whitelisting and authentication, while the /mcp_message endpoint only enforces IP whitelisting. Alarmingly, the default IP whitelist for this endpoint is empty, effectively allowing unrestricted access.

This lack of authentication means that any network attacker can invoke all MCP tools without any credentials. Such actions include restarting the Nginx service, creating, modifying, or deleting configuration files, and triggering automatic configuration reloads, leading to a complete takeover of the Nginx service.

Exploitation Methodology

Yotam Perkal, a researcher at Pluto Security who discovered the flaw, explained that an attacker can execute a full takeover in mere seconds through two specific HTTP requests:

1. An HTTP GET request to the /mcp endpoint to establish a session and obtain a session ID.
2. An HTTP POST request to the /mcp_message endpoint using the session ID to invoke any MCP tool without authentication.

While the session establishment step typically requires authentication, attackers can exploit a separate vulnerability in nginx-ui versions prior to 2.3.3 (CVE-2026-27944) to bypass this requirement. This earlier vulnerability exposes encryption keys necessary to decrypt backups via the /api/backup endpoint without authentication.

An attacker can leverage this flaw to download a complete system backup, extracting sensitive data such as user credentials, SSL private keys, and Nginx configurations. A critical query parameter known as “node_secret,” used for authenticating the MCP interface, can also be obtained. This value can then be used in the HTTP GET request to retrieve the session ID, which allows the attacker to issue commands through the /mcp_message endpoint without further authentication.

Implications of the Vulnerability

The successful exploitation of CVE-2026-33032 enables attackers to modify Nginx configuration files and reload the server. Additionally, they could intercept all traffic and harvest administrator credentials, posing a severe risk to organizations utilizing nginx-ui.

Following responsible disclosure, the vulnerability was addressed in version 2.3.4, released on March 15, 2026. As an immediate workaround, users are advised to implement the “middleware.AuthRequired()” function on the /mcp_message endpoint to enforce authentication. Alternatively, changing the default IP allowlisting behavior from “allow-all” to “deny-all” is recommended.

Current Threat Landscape

The disclosure of this vulnerability coincides with a report from Recorded Future, which identified CVE-2026-33032 as one of 31 vulnerabilities actively exploited by threat actors in March 2026. Data from Shodan indicates approximately 2,689 exposed instances of nginx-ui on the internet, predominantly located in China, the United States, Indonesia, Germany, and Hong Kong.

Given the substantial number of publicly reachable nginx-ui instances, the urgency for organizations to patch their deployments is critical. Pluto Security emphasized the need for immediate updates to version 2.3.4 or, as a temporary measure, disabling MCP functionality and restricting network access.

Related Vulnerabilities and Broader Context

The news surrounding CVE-2026-33032 follows the discovery of two additional security flaws in the Atlassian MCP server, tracked as CVE-2026-27825 and CVE-2026-27826. These vulnerabilities, collectively referred to as MCPwnfluence, allow attackers on the same local network to execute arbitrary code on vulnerable machines without requiring authentication.

The interconnected nature of these vulnerabilities underscores the importance of robust security measures in applications that integrate with external protocols like MCP. As noted by Perkal, when MCP is added to an existing application, the endpoints inherit the application’s full capabilities but not necessarily its security controls, resulting in a backdoor that bypasses established authentication mechanisms.

Organizations utilizing nginx-ui must remain vigilant and proactive in addressing these vulnerabilities to safeguard their systems against potential exploitation.

For further details, refer to the original reporting source: thehackernews.com.

Keep reading for the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East.