A Critical Nginx UI Flaw Is Being Actively Exploited

Security researchers have confirmed active exploitation of a CVSS 9.8 authentication bypass vulnerability in Nginx UI. The flaw in the web-based management tool allows unauthenticated remote attackers to gain full control over Nginx servers. If you run Nginx UI to manage reverse proxies or web server configurations, this vulnerability exposes your infrastructure to immediate compromise.

The MCPwn Vulnerability Details

Tracked as CVE-2026-33032, the vulnerability stems from a flawed implementation of the Model Context Protocol. Nginx UI added MCP integration in late 2025 to enable communication with AI agents. The maintainers exposed two endpoints for this functionality.

The /mcp endpoint handles connection establishment and properly implements authentication alongside IP whitelisting. The /mcp_message endpoint executes the actual commands. The maintainers shipped /mcp_message without authentication middleware. The endpoint relies entirely on a default IP whitelist that ships empty. The software logic interprets an empty whitelist as a directive to allow all traffic.

Exploitation Workflow

Attackers can compromise a server using just two HTTP requests. The exploit requires establishing a Server-Sent Events connection to the /mcp endpoint to receive a valid session ID. The attacker then sends a POST request to /mcp_message using that session ID to invoke privileged MCP tools.

The unauthenticated user gains access to 12 administrative tools. These include commands to modify configuration files, restart the service, and reload the daemon. Attackers are using the nginxconfigmodify tool to rewrite nginx.conf files. This allows them to inject malicious reverse proxies or steal credentials by capturing authorization headers.

Impact and Remediation

Internet scans identify approximately 2,600 publicly exposed and potentially vulnerable instances. VulnCheck added the flaw to its Known Exploited Vulnerabilities list after observing active campaigns in March and April 2026. The vulnerability affects Nginx UI versions up to and including 2.3.3.

Status	Nginx UI Version
Vulnerable	<= 2.3.3
Patched	2.3.4 and later
Recommended	2.3.6

Upgrading to version 2.3.4 or newer patches the vulnerability. If immediate patching is not feasible, you must implement manual workarounds. The most secure temporary measure is disabling the MCP functionality entirely. Alternatively, you can restrict access by configuring a non-empty IP whitelist to permit only trusted administrative IPs. You can also manually add the middleware.AuthRequired() call to the /mcp_message endpoint in your source code before recompiling.

Protocol Integration Risks

The incident illustrates a recurring architectural failure when adding AI capabilities to legacy infrastructure. Developers often integrate agent protocols without routing them through established security middleware. The Nginx UI flaw is the second major MCP-related vulnerability disclosed by Pluto Security in 2026, following an SSRF-to-RCE chain in Atlassian’s MCP server dubbed MCPwnfluence. When you build advanced AI agents, giving them system access requires mapping protocol-specific endpoints to the core application’s security model.

Audit your exposed Nginx UI instances immediately. Check access logs for unexpected POST requests to the /mcp_message endpoint. If you find indicators of compromise, assume the underlying server configuration has been modified and rebuild the instance from trusted configurations.