A critical authentication bypass vulnerability tracked as CVE-2026-33032 — and dubbed “MCPwn” by researchers at Pluto Security — is being actively exploited in the wild against nginx-ui, a widely-used graphical management interface for the Nginx web server. With a CVSS score of 9.8, the flaw allows any network-adjacent attacker to take complete control of an affected Nginx server in just two HTTP requests, with zero credentials required.
Technical Overview: What Is nginx-ui?
nginx-ui is an open-source web-based dashboard that simplifies the administration of Nginx web servers. It provides a user-friendly interface for managing virtual hosts, SSL certificates, reverse proxy configurations, and access logs. Due to its convenience, it has been widely adopted by developers and system administrators, particularly in smaller organisations and self-hosted environments.
The vulnerability exists in nginx-ui versions 2.3.5 and earlier. It stems from a missing authentication middleware call on a specific API endpoint, leaving a critical door wide open for unauthenticated attackers.
The Root Cause: Missing Middleware
According to Rapid7’s analysis, the nginx-ui application exposes an MCP (Model Context Protocol) server via two endpoints: /mcp and /mcp_message. The /mcp endpoint correctly applies both IP whitelisting and authentication via the AuthRequired() middleware. However, the /mcp_message endpoint only applies IP whitelisting — and since the default whitelist is empty, which the middleware interprets as “allow all” — any attacker can invoke MCP tools through this endpoint with no authentication whatsoever.
The attack flow is devastatingly simple:
- Step 1: Attacker sends a crafted request to
/mcp_messageto enumerate available MCP tools - Step 2: Attacker invokes nginx configuration tools to overwrite server config, inject malicious directives, or execute arbitrary system commands
From initial access to full Nginx takeover, the entire exploit chain can be executed in seconds. No brute-forcing. No credential harvesting. Just two HTTP requests.
Active Exploitation and Exposed Instances
Recorded Future listed CVE-2026-33032 among 31 vulnerabilities actively exploited by threat actors in March 2026, confirming that criminal groups had already begun weaponising the flaw before widespread public awareness. Shodan data shows approximately 2,689 publicly exposed nginx-ui instances accessible from the internet, with the largest concentrations in China, the United States, Indonesia, Germany, and Hong Kong.
Successful exploitation can result in a range of devastating outcomes:
- Complete takeover of the Nginx web server configuration
- Redirection of web traffic to attacker-controlled infrastructure
- Injection of malicious JavaScript or phishing pages into hosted sites
- Lateral movement into the broader server environment
- Installation of persistent backdoors or cryptominers
Patch Available: Update Immediately
The nginx-ui development team patched CVE-2026-33032 in version 2.3.4 by adding the missing AuthRequired() middleware to the /mcp_message endpoint. All organisations running nginx-ui should update to version 2.3.4 or later without delay.
For those who cannot immediately patch, the following interim mitigations are strongly recommended:
- Disable MCP functionality entirely within the nginx-ui configuration
- Restrict network access to the nginx-ui management port using firewall rules, allowing only trusted IP ranges
- Place nginx-ui behind a VPN or Zero Trust Network Access (ZTNA) gateway
- Monitor web server logs for anomalous requests to
/mcpor/mcp_messageendpoints
Broader Implications
CVE-2026-33032 is a stark reminder of the dangers lurking in administrative tooling. Web server management interfaces are high-value targets precisely because compromising them grants attackers control over the underlying infrastructure rather than just application-layer access. The introduction of MCP (Model Context Protocol) support into web tooling also introduces new attack surfaces that security teams must evaluate carefully as AI-adjacent protocols proliferate across the software stack.
Organisations are urged to treat any exposed nginx-ui instance as critically compromised until patched, and to conduct a thorough forensic review of server configurations and logs for any signs of tampering.