CVE-2026-33032: nginx-ui "MCPwn"

Overview

CVE-2026-33032 is an unauthenticated access vulnerability in nginx-ui, a popular open-source web GUI for managing Nginx servers. Dubbed MCPwn by the researchers at Pluto Security who discovered it, the flaw allows any remote attacker with network access to invoke privileged administrative actions — restarting services, rewriting configs, redirecting traffic — without supplying a single credential. CVSS scores it at 9.8 Critical.

Active exploitation was confirmed in the wild in March 2026. As of mid-April 2026 approximately 2,689 instances remain exposed on the public internet, with the highest concentrations in China, the United States, Indonesia, Germany, and Hong Kong.

What is nginx-ui?

nginx-ui is a self-hosted administration interface for Nginx, providing a browser-based dashboard for managing virtual hosts, SSL certificates, upstream configurations, and access logs. It is commonly deployed by developers and small infrastructure teams who want a GUI alternative to editing nginx.conf directly. The application runs as a privileged process alongside Nginx — giving it the ability to restart the service and reload its configuration at will.

In recent versions nginx-ui added MCP (Model Context Protocol) support, exposing a set of programmatic HTTP endpoints to allow AI tooling to interact with the Nginx configuration. This new attack surface is where the vulnerability lives.

Root Cause: Unprotected MCP Endpoint

nginx-ui enforces authentication on its main application routes via middleware. However, during the implementation of the MCP integration, the /mcp_message endpoint was left outside the authentication middleware chain entirely — an oversight of a single missing configuration line.

An attacker who can reach the nginx-ui port can call /mcp_message with no session, no token, and no credentials. The endpoint accepts and executes privileged MCP tool calls as if they came from an authenticated administrator.

Exploitation in Two HTTP Requests

The exploit flow is trivial:

1. Establish a Server-Sent Events (SSE) connection to /mcp to obtain a sessionID. No authentication is required for this step.
2. POST a privileged MCP tool call to /mcp_message using the sessionID from step one. The server executes the requested action immediately.

From the attacker's perspective this looks like:

# Step 1 — open SSE stream and grab sessionID
curl -s -N http://target:9000/mcp
# Response includes: data: {"sessionId":"abc123..."}

# Step 2 — invoke a privileged action unauthenticated
curl -s -X POST http://target:9000/mcp_message \
  -H "Content-Type: application/json" \
  -d '{"sessionId":"abc123...", "tool":"nginx_restart"}'

The entire attack can be scripted in seconds and requires no prior knowledge of the target environment beyond network reachability.

Impact

With access to the MCP endpoint, an unauthenticated attacker can:

• Restart the Nginx service — immediate disruption of all hosted services.
• Create, modify, or delete Nginx configuration files — redirect traffic to attacker-controlled upstreams, disable TLS, strip authentication on proxied applications.
• Trigger automatic configuration reloads — changes take effect without any further interaction.
• Read all Nginx configuration and access logs — full visibility into hosted infrastructure, upstream servers, and client traffic patterns.
• Intercept credentials — by rewriting proxy configs to log or forward request bodies to an attacker-controlled host.
• Cause persistent denial of service — push syntactically invalid configuration to prevent Nginx from starting after a reload.

Unlike a typical web application RCE where impact is limited to the application user, compromise here is equivalent to full administrative control of the web server tier — affecting every application running behind the target Nginx instance.

Affected Versions

All versions of nginx-ui prior to 2.3.4 are affected. The MCP feature was introduced in version 2.0.0, so all releases in the 2.x branch up to 2.3.3 are vulnerable.

Remediation

1. Upgrade to nginx-ui 2.3.4 immediately. The fix is a single line adding the missing authentication middleware to the /mcp_message route registration.
2. If an immediate upgrade is not possible, block access to the nginx-ui port at the network or firewall level — restrict it to trusted management networks only. nginx-ui should never be internet-facing.
3. If the MCP feature is not in active use, disable it entirely in the nginx-ui configuration.
4. Audit Nginx configuration files and access logs for unexpected changes, new upstream definitions, or proxy_pass directives added after March 2026.
5. Rotate any credentials or tokens that nginx-ui had access to, as they may have been harvested via log manipulation.

Detection Guidance

Watch for the following indicators in nginx-ui and Nginx logs:

• Unexpected POST requests to /mcp_message from external or unknown IP addresses.
• GET requests to /mcp from sources that are not your own tooling.
• Nginx configuration changes not initiated by a known administrator — particularly additions to proxy_pass, access_log, or server_name directives.
• Nginx service restart events logged outside of scheduled maintenance windows.

Takeaways

MCPwn is an object lesson in the danger of shipping new protocol integrations without applying the same security controls that protect the rest of an application. The core Nginx UI authentication was sound — the vulnerability was entirely a consequence of the MCP feature bypassing it. Every new endpoint is a new attack surface, and authentication middleware must be explicitly applied, not assumed.

From a red team perspective this vulnerability is highly attractive: trivial to exploit, no prerequisites, high-value target (the web server configuration layer), and a large number of internet-exposed instances. Any engagement involving Linux web infrastructure should include a check for exposed nginx-ui management interfaces.

References

• NVD — CVE-2026-33032
• The Hacker News — Actively Exploited nginx-ui Flaw Enables Full Nginx Server Takeover
• Bleeping Computer — Critical nginx-ui Auth Bypass Flaw Now Actively Exploited
• Security Affairs — CVE-2026-33032: Severe nginx-ui Bug Grants Unauthenticated Server Access
• SentinelOne Vulnerability Database — CVE-2026-33032