Full Report
A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication. [...]
Analysis Summary
# Vulnerability: Critical Authentication Bypass in Nginx UI MCP Endpoint
## CVE Details
- **CVE ID:** CVE-2026-33032
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication) / CWE-306 (Missing Authentication for Critical Function)
## Affected Systems
- **Products:** Nginx UI (Web-based management interface for Nginx)
- **Versions:** All versions prior to v2.3.4
- **Configurations:** Instances with Model Context Protocol (MCP) support enabled and exposed to the network.
## Vulnerability Description
The vulnerability stems from the `nginx-ui` application leaving the `/mcp_message` endpoint unprotected. This endpoint facilitates communication via the Model Context Protocol (MCP). Because the endpoint lacks authentication checks, a remote attacker can establish a Server-Sent Events (SSE) connection and open an MCP session. Once a `sessionID` is obtained, the attacker can invoke privileged MCP tools. These tools allow for reading, creating, modifying, or deleting Nginx configuration files and triggering service reloads.
## Exploitation
- **Status:** Exploited in the wild; Proof-of-Concept (PoC) available.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Ability to read and exfiltrate Nginx configuration files).
- **Integrity:** High (Ability to inject malicious server blocks and modify system behavior).
- **Availability:** High (Ability to delete configurations and restart/disrupt the Nginx service).
## Remediation
### Patches
- **Recommended Version:** Update to **v2.3.6** (released April 2026) or later.
- **Minimum Secure Version:** **v2.3.4** (released March 15, 2026).
### Workarounds
- Restrict access to the Nginx UI web interface using firewall rules (ACLs) or a VPN to ensure it is not reachable from the public internet.
- Implement an upstream reverse proxy with Mandatory Access Control (MAC) or basic authentication to shield the vulnerable `/mcp_message` endpoint.
## Detection
### Indicators of Compromise
- **Log Analysis:** Look for unauthorized SSE connections or unusual requests to the `/mcp_message` endpoint originating from unknown IP addresses.
- **Configuration Changes:** Unexpected modifications to Nginx configuration files or the appearance of new, unrecognized server blocks.
- **Audit Logs:** Monitor for automated Nginx reloads that do not correlate with scheduled administrative actions.
### Detection Methods and Tools
- **Shodan/Censys:** Search for publicly exposed Nginx UI instances to assess attack surface exposure.
- **Vulnerability Scanners:** Use updated signatures for CVE-2026-33032 to identify vulnerable versions within the environment.
## References
- **NVD:** hxxps[://]nvd.nist.gov/vuln/detail/CVE-2026-33032
- **Pluto Security Research:** hxxps[://]pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/
- **Recorded Future Report:** hxxp[://]www.recordedfuture.com/blog/march-2026-cve-landscape
- **GitHub Release:** hxxps[://]github.com/0xJacky/nginx-ui/releases/tag/v2.3.6