Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover

Summary

CVE-2026-33032, a critical authentication bypass vulnerability in nginx-ui (CVSS 9.8), is under active exploitation in the wild. The flaw in the MCP (Model Context Protocol) integration allows unauthenticated attackers to invoke all MCP tools, modify Nginx configuration files, and achieve complete service takeover via two HTTP requests. The vulnerability was patched in version 2.3.4 on March 15, 2026, but approximately 2,689 exposed instances remain vulnerable globally.

Full text

Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover Ravie LakshmananApr 15, 2026Web Security / Vulnerability A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security. "The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message," according to an advisory released by nginx-ui maintainers last month. "While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting -- and the default IP whitelist is empty, which the middleware treats as 'allow all.'" "This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover." According to Pluto Security researcher Yotam Perkal, who identified and reported the flaw, the attack can facilitate a full takeover in seconds via two requests - An HTTP GET request to the /mcp endpoint to establish a session and obtain a session ID. An HTTP POST request to the /mcp_message endpoint using the session ID to invoke any MCP tool sans authentication In other words, attackers can exploit this vulnerability by sending specially crafted HTTP requests directly to the "/mcp_message" endpoint without any authentication headers or tokens. Successful exploitation of the flaw could enable them to invoke MCP tools and modify Nginx configuration files and reload the server. Furthermore, an attacker could exploit this loophole to intercept all traffic and harvest administrator credentials. Following responsible disclosure, the vulnerability was addressed in version 2.3.4, released on March 15, 2026. As workarounds, users are advised to add "middleware.AuthRequired()" to the "/mcp_message" endpoint to force authentication. Alternatively, it's advised to change the IP allowlisting default behavior from "allow-all" to "deny-all." The disclosure comes as Recorded Future, in a report published this week, listed CVE-2026-33032 as one of the 31 vulnerabilities that have been actively exploited by threat actors in March 2026. There are currently no insights on the exploitation activity associated with the security flaw. "When you bolt MCP onto an existing application, the MCP endpoints inherit the application’s full capabilities but not necessarily its security controls. The result is a backdoor that bypasses every authentication mechanism the application was carefully built with," Perkal said. Data from Shodan shows that there are about 2,689 exposed instances on the internet, with most of them located in China, the U.S., Indonesia, Germany, and Hong Kong. "Given the approximately 2,600 publicly reachable nginx-ui instances our researchers identified, the risk to unpatched deployments is immediate and real," Pluto told The Hacker News. "Organizations running nginx-ui should treat this as an emergency: update to version 2.3.4 immediately, or disable MCP functionality and restrict network access as an interim measure." News of CVE-2026-33032 follows the discovery of two security flaws in the Atlassian MCP server ("mcp-atlassian") that could be chained to achieve remote code execution. The flaws – tracked as CVE-2026-27825 (CVSS 9.1) and CVE-2026-27826 (CVSS 8.2) and dubbed MCPwnfluence – enable any attacker on the same local network to run arbitrary code on a vulnerable machine without requiring any authentication. "When chaining both vulnerabilities -- we are able to send requests to the MCP from the LAN [local area network], redirect the server to the attacker machine, upload an attachment, and then receive a full unauthenticated RCE from the LAN," Pluto Security said. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cybersecurity, MCP, network security, NGINX, Patch Management, remote code execution, Threat Intelligence, Vulnerability, web security Trending News Microsoft Warns of WhatsApp-Delivered VBS Malware Hijacking Windows via UAC Bypass New Chrome Zero-Day CVE-2026-5281 Under Active Exploitation — Patch Released Apple Expands iOS 18.7.7 Update to More Devices to Block DarkSword Exploit Hackers Exploit CVE-2025-55182 to Breach 766 Next.js Hosts, Steal Credentials New SparkCat Variant in iOS, Android Apps Steals Crypto Wallet Recovery Phrase Images Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers Fortinet Patches Actively Exploited CVE-2026-35616 in FortiClient EMS Block the Prompt, Not the Work: The End of "Doctor No" BKA Identifies REvil Leaders Behind 130 German Ransomware Attacks ⚡ Weekly Recap: Axios Hack, Chrome 0-Day, Fortinet Exploits, Paragon Spyware and More China-Linked Storm-1175 Exploits Zero-Days to Rapidly Deploy Medusa Ransomware New GPUBreach Attack Enables Full CPU Privilege Escalation via GDDR6 Bit-Flips Docker CVE-2026-34040 Lets Attackers Bypass Authorization and Gain Host Access Anthropic's Claude Mythos Finds Thousands of Zero-Day Flaws Across Major Systems AI Will Change Cybersecurity. Humans Will Define Its Success. A Lesson No Algorithm Can Teach The AI Arms Race – Why Unified Exposure Management Is Becoming a Boardroom Priority Popular Resources Learn How to Block Breached Passwords in Active Directory Before Attacks Get Full Visibility into Vendor and Internal Risk in One Platform [Guide] Get Practical Steps to Govern AI Agents with Runtime Controls Secure Your AI Systems Across the Full Lifecycle of Risks

Indicators of Compromise

• cve — CVE-2026-33032
• cve — CVE-2026-27825
• cve — CVE-2026-27826

Entities