Critical Nginx UI auth bypass flaw now actively exploited in the wild
Critical Nginx UI auth bypass (CVE-2026-33032) actively exploited for unauthenticated server takeover.
Summary
A critical authentication bypass vulnerability in Nginx UI (CVE-2026-33032) leaves the '/mcp_message' endpoint unprotected, allowing unauthenticated remote attackers to invoke privileged Model Context Protocol (MCP) actions and achieve full server takeover. Nginx released a patch in version 2.3.4 on March 15, but the vulnerability is now under active exploitation in the wild, with approximately 2,600 publicly exposed instances identified. System administrators are urged to update to version 2.3.6 or later immediately.
Full text
Critical Nginx UI auth bypass flaw now actively exploited in the wild By Bill Toulas April 15, 2026 06:35 PM 0 A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication. The flaw, tracked as CVE-2026-33032, is caused by nginx-ui leaving the ‘/mcp_message’ endpoint unprotected, allowing remote attackers to invoke privileged MCP actions without credentials. Because those actions involve writing and reloading nginx configuration files, a single unauthenticated request can modify server behavior and effectively take over the web server. “[...] any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover,” reads NIST's descripion of the flaw in the National Vulnerability Database (NVD). NGNIX released a fix for the flaw in version 2.3.4 on March 15, a day after researchers at the AI workflow security company Pluto Security AI reported it. However, the vulnerability identifier, along with technical details and a proof-of-concept (PoC) exploit, emerged at the end of the month. In the CVE Landscape report earlier this week, threat intelligence company Recorded Future notes that CVE-2026-33032 is under active exploitation. Nginx UI is a web-based management interface for the Nginx web server. The library is very popular, with more than 11,000 stars on GitHub and 430,000 Docker pulls. Based on Pluto Security's internet scans using the Shodan engine, there are currently 2,600 publicly exposed instances potentially vulnerable to attacks. Most are in China, the United States, Indonesia, Germany, and Hong Kong. In a report today, Pluto Security's Yotam Perkal says that exploitation only requires network access and is achieved by establishing an SSE connection, opening an MCP session, and then using the returned ‘sessionID’ to send requests to the ‘/mcp_message’ endpoint. Overvie of the attack flowSource: Pluto Security From there, attackers can invoke MCP tools without authentication and take the following actions: Connect to the target nginx-ui instance Send requests without any authentication headers Gain access to all 12 MCP tools (7 destructive) Read nginx configuration files and exfiltrate them Inject a new nginx server block with malicious configuration Trigger automatic nginx reload Pluto Security's demo shows that an attacker can use the unauthenticated MCP message endpoint to execute privileged nginx management actions, perform config injection, and ultimately take control of the nginx server, all without authentication. Given the active exploitation status and the availability of public PoCs, system administrators are recommended to apply the available security updates as soon as possible. The latest secure version of nginx-ui is 2.3.6, released last week. Automated Pentesting Covers Only 1 of 6 Surfaces. Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation. Get Your Copy Now Related Articles: CISA flags Windows Task Host vulnerability as exploited in attacksAdobe rolls out emergency fix for Acrobat, Reader zero-day flawCritical Marimo pre-auth RCE flaw now under active exploitationAnalysis of one billion CISA KEV remediation records exposes limits of human-scale securityIvanti EPMM flaw exploited by Chinese hackers to breach govt agencies
Indicators of Compromise
- cve — CVE-2026-33032