A critical authentication bypass in nginx-ui, a widely used open-source web interface for managing nginx servers, has been actively exploited in the wild.
The vulnerability, tracked as CVE-2026-33032 with a CVSS score of 9.8, was discovered by Pluto Security and allows any network-adjacent attacker to take full control of an nginx server through a single unauthenticated API request.
VulnCheck has added the flaw to its Known Exploited Vulnerabilities (KEV) list. Recorded Future’s Insikt Group independently flagged it in a recent report as one of 31 high-impact vulnerabilities exploited during March 2026, assigning it a risk score of 94 out of 100.
Missing Middleware, Full Access
The root cause comes down to a single missing function call: nginx-ui recently added support for the Model Context Protocol (MCP), which splits communication across two HTTP endpoints.
The /mcp endpoint, used for establishing connections, carries both IP whitelisting and authentication middleware. But /mcp_message, the endpoint that processes every tool invocation including configuration writes and server restarts, shipped without the authentication check.
That omission exposes 12 MCP tools to unauthenticated callers. Seven are destructive, enabling attackers to inject nginx configurations, reload the server and intercept all traffic passing through it. The remaining five provide reconnaissance capabilities such as reading existing configs and mapping backend infrastructure.
Read more on MCP-focussed attacks: Hundreds of MCP Servers at Risk of RCE and Data Leaks
Thousands of Instances at Risk
Pluto Security’s researchers said they used Shodan to identify over 2,600 publicly reachable nginx-ui instances across cloud providers including Alibaba Cloud, Oracle and Tencent.
Most were running on the default port 9000. The tool’s Docker image has been pulled more than 430,000 times, suggesting a much larger population of potentially vulnerable deployments sitting behind firewalls.
The nginx-ui maintainers released a patch in version 2.3.4 just one day after disclosure. The fix amounted to 27 characters of added code, along with a regression test to prevent the same oversight from recurring. Organizations running nginx-ui with MCP enabled should take immediate action:
-
Update to version 2.3.4 or later
-
If patching is not possible, disable MCP functionality entirely
-
Restrict network access to the management interface
-
Review server logs and configuration directories for unauthorized changes
This is the second MCP vulnerability Pluto Security has disclosed in recent weeks, following MCPwnfluence, an SSRF-to-RCE chain in the Atlassian MCP server.
Both cases expose a recurring weakness: when MCP is connected to existing applications, its endpoints often inherit full capabilities without inheriting any of the security controls.
