Nginx UI authentication bypass actively exploited - one unauthenticated request gives attackers full server takeover via MCP endpoint (CVE-2026-33032)

A CVSS 9.8 authentication bypass in nginx-ui, the popular open-source web management interface for Nginx servers, is being actively exploited in the wild. The flaw, codenamed MCPwn by Pluto Security, exists because the /mcp_message endpoint added for Model Context Protocol (AI integration) support only checks IP whitelisting - and the default whitelist is empty, meaning it allows all connections. One unauthenticated HTTP POST request lets an attacker invoke all MCP tools: rewrite Nginx config files, reload the server, intercept all traffic, and harvest admin credentials. Attackers chain it with CVE-2026-27944 (exposed encryption keys via the backup API) to extract the node_secret needed for full MCP access. Recorded Future flagged active exploitation and assigned a risk score of 94/100. Shodan shows 2,600 publicly exposed instances, mostly in China, the US, Indonesia, and Germany. Pluto Security's key lesson: AI integration endpoints expose the same capabilities as the core application but often skip its security controls.

Check

Check if you or any managed clients run nginx-ui (web-based Nginx management dashboard). If MCP support is enabled, this is urgent - you're likely exposed.

Affected

nginx-ui versions 2.3.5 and earlier with MCP support enabled. The tool has 11,000+ GitHub stars and 430,000 Docker pulls. Any instance reachable from the network is exploitable without credentials.

Fix

Update nginx-ui to version 2.3.6 immediately (2.3.4 was the first fix, 2.3.6 is current). If you can't patch: restrict network access to the nginx-ui management interface to trusted IPs only. Add authentication middleware to the /mcp_message endpoint. As defense-in-depth, audit all MCP-integrated tools in your environment - this class of flaw (AI integration endpoints skipping auth) will appear in other products.