A critical authentication bypass vulnerability in Nginx UI with MCP support (CVE-2026-33032) is being actively exploited, allowing attackers to take complete control of web servers without credentials.
A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication. The flaw, tracked as CVE-2026-33032, is caused by nginx-ui leaving the '/mcp_message' endpoint unprotected, allowing remote attackers to invoke privileged MCP actions without credentials.
Because those actions involve writing and reloading nginx configuration files, a single unauthenticated request can modify server behavior and effectively take over the web server.
"[... ] any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover," reads NIST's description of the flaw in the National Vulnerability Database (NVD).
NGINX released a fix for the flaw in version 2.3.4 on March 15, a day after researchers at the AI workflow security company Pluto Security AI reported it. However, the vulnerability identifier, along with technical details and a proof-of-concept (PoC) exploit, emerged at the end of the month.
In the CVE Landscape report earlier this week, threat intelligence company Recorded Future notes that CVE-2026-33032 is under active exploitation.
Nginx UI is a web-based management interface for the Nginx web server. The library is very popular, with more than 11,000 stars on GitHub and 430,000 Docker pulls. Based on Pluto Security's internet scans using the Shodan engine, there are currently 2,600 publicly exposed instances potentially vulnerable to attacks. Most are in China, the United States, Indonesia, Germany, and Hong Kong.
In a report today, Pluto Security's Yotam Perkal says that exploitation only requires network access and is achieved by establishing an SSE connection, opening an MCP session, and then using the returned 'sessionID' to send requests to the '/mcp_message' endpoint.
From there, attackers can invoke MCP tools without authentication and take the following actions:
- Connect to the target nginx-ui instance
- Send requests without any authentication headers
- Gain access to all 12 MCP tools (7 destructive)
- Read nginx configuration files and exfiltrate them
- Inject a new nginx server block with malicious configuration
- Trigger automatic nginx reload
Pluto Security's demo shows that an attacker can use the unauthenticated MCP message endpoint to execute privileged nginx management actions, perform config injection, and ultimately take control of the nginx server, all without authentication.
Given the active exploitation status and the availability of public PoCs, system administrators are recommended to apply the available security updates as soon as possible. The latest secure version of nginx-ui is 2.3.6, released last week.
For organizations running nginx-ui, immediate action is required:
- Check your version: Run
nginx-ui --versionto verify you're running 2.3.6 or later - Update immediately: If running an affected version, upgrade to the latest release
- Restrict access: Limit network access to nginx-ui interfaces where possible
- Monitor logs: Watch for unusual activity on the '/mcp_message' endpoint
- Consider alternatives: If you don't need MCP functionality, disable it or use a different management interface
This vulnerability highlights the growing security risks associated with AI integration in infrastructure tools. The MCP protocol, designed to enable AI agents to interact with system resources, has created new attack surfaces when not properly secured.
The widespread deployment of nginx-ui (430,000+ Docker pulls) combined with the ease of exploitation makes this a particularly dangerous vulnerability. With 2,600 potentially vulnerable instances exposed to the internet, the window for exploitation is significant.
Security researchers emphasize that this type of vulnerability—where AI integration creates unintended security bypasses—will likely become more common as infrastructure tools increasingly incorporate AI capabilities. Organizations should carefully evaluate the security implications of AI-enabled features before deploying them in production environments.
Comments
Please log in or register to join the discussion