MCPwn: Actively Exploited nginx-ui Auth Bypass (CVE-2026-33032)

AI relevance: This vulnerability exists because nginx-ui added Model Context Protocol (MCP) integration for AI-driven server management, and the /mcp_message endpoint was left without authentication — showing how adding AI tool interfaces to existing infrastructure creates new attack surfaces.

Key Findings

• CVE-2026-33032 (CVSS 9.8) is an authentication bypass in nginx-ui, an open-source web management interface for Nginx with 11,000+ GitHub stars and 430,000+ Docker pulls.
• Dubbed "MCPwn" by Pluto Security, the flaw stems from a missing middleware call on the /mcp_message endpoint — an API route added for MCP-based AI agent integration.
• Any network-accessible attacker can establish an SSE connection, open an MCP session, and invoke all 12 MCP tools (7 destructive) without any authentication.
• Exploitation allows: reading nginx configuration files, injecting malicious server blocks, triggering automatic config reloads, and achieving complete nginx service takeover.
• Shodan scans show 2,600 publicly exposed instances potentially vulnerable, concentrated in China, the US, Indonesia, Germany, and Hong Kong.
• Recorded Future's CVE Landscape report confirms active exploitation in the wild.

Attack Flow

• Attacker connects to the target nginx-ui instance over the network (no credentials needed).
• Establishes an SSE (Server-Sent Events) connection and opens an MCP session.
• Uses the returned session ID to send requests directly to /mcp_message.
• Invokes privileged MCP tools: read configs, inject new server blocks, trigger nginx reload.
• Server is now under attacker control — arbitrary reverse proxies, credential harvesting, or further pivoting.

Why It Matters

This is a concrete example of what happens when AI agent interfaces (MCP) are bolted onto existing infrastructure management tools without proper security review. The MCP endpoint was designed for AI-driven automation but became a backdoor because the authentication layer wasn't extended to cover it. As more infrastructure tools add MCP support for AI agent integration, this pattern will repeat unless vendors treat MCP endpoints as security-critical from day one.

What to Do

• Upgrade immediately — nginx-ui v2.3.6 is the latest secure release. The vulnerability was fixed in v2.3.4 (March 15) but v2.3.6 includes additional hardening.
• Block public access — nginx-ui instances should never be directly exposed to the internet; use VPN, SSH tunnels, or internal network access only.
• Audit MCP endpoints — if you run any infrastructure tool with MCP integration, verify every MCP endpoint requires authentication and authorization.
• Monitor for exploitation indicators — look for unexpected SSE connections to /mcp_message, unauthorized config changes, or nginx reloads outside maintenance windows.

Sources

• BleepingComputer — Critical nginx-ui Auth Bypass Actively Exploited
• Pluto Security — MCPwn Technical Report
• The Hacker News — Actively Exploited nginx-ui Flaw
• Rapid7 — CVE-2026-33032 Exploit Threat Report
• NVD — CVE-2026-33032 Entry