nginx-ui — MCPwn: Unauthenticated MCP Endpoint Leads to Full Server Takeover (CVE-2026-33032)

nginx-ui — MCPwn: Unauthenticated MCP Endpoint Leads to Full Server Takeover (CVE-2026-33032)

AI relevance: nginx-ui added Model Context Protocol (MCP) support to let AI assistants manage nginx configurations, but the MCP message endpoint was deployed without authentication middleware — turning an AI integration layer into a zero-click server takeover vector on 2,600+ publicly exposed instances.

• CVE-2026-33032 (CVSS 9.8, dubbed "MCPwn" by Pluto Security) is an authentication bypass in nginx-ui's MCP SSE transport endpoint
• The /mcp_message POST endpoint — which receives all MCP tool invocations — was missing the authentication middleware used by the rest of the application
• Any network-adjacent attacker can invoke all 12 MCP tools without credentials, including 7 destructive ones: write configs, reload nginx, read files, restart services
• Active exploitation confirmed by VulnCheck (KEV listing) and Recorded Future (Risk Score 94/100) since late March 2026
• Pluto Security's Shodan scans found 2,689 publicly exposed nginx-ui instances across 50+ countries, many on cloud providers (Alibaba Cloud, Oracle, DigitalOcean)
• nginx-ui has 11K+ GitHub stars and 430K+ Docker pulls — it is a popular management interface for nginx deployments
• Proof-of-concept exploit is publicly available; the attack flow is trivial: open SSE connection, get sessionID, send tool calls to /mcp_message
• Fixed in nginx-ui v2.3.4 (March 15); v2.3.6 released last week with additional hardening

Why It Matters

MCPwn illustrates a systemic pattern in MCP deployments: when you bolt MCP onto an existing application, the MCP endpoints inherit the application's full operational capabilities but not necessarily its security controls. The nginx-ui developers built robust auth for the web UI, but the MCP transport layer bypassed it entirely. This is the second in Pluto Security's MCP vulnerability series — following MCPwnfluence (CVE-2026-27825), an SSRF-to-RCE chain in the most widely deployed Atlassian MCP server. Both findings demonstrate that MCP servers act as privileged bridges between AI agents and critical infrastructure, and a single missing guard rail compromises everything behind the bridge.

What To Do

• Patch immediately — upgrade nginx-ui to v2.3.4 or later (v2.3.6 recommended)
• Disable MCP if you don't use AI-assisted nginx management — remove the exposure entirely
• IP whitelist MCP endpoints — restrict /mcp and /mcp_message to trusted internal hosts only
• Audit access logs — look for unauthenticated POST requests to /mcp_message, unexpected config changes, or nginx reloads
• Treat MCP endpoints as API attack surface — every MCP endpoint should undergo the same authentication, authorization, and input validation review as REST APIs
• Scan for exposed instances — use Shodan favicon hash http.favicon.hash:-1565173320 to find your own exposed nginx-ui deployments

Sources:

• Pluto Security — MCPwn Full Technical Breakdown
• NVD — CVE-2026-33032
• BleepingComputer — Active Exploitation Confirmed
• CSO Online — Critical nginx UI Vulnerability
• nginx-ui v2.3.6 Release