Actively Exploited Nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
A newly disclosed critical security flaw affecting nginx-ui, the open source, web-based Nginx management tool, has come under active exploitation in the wild.
The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that allows malicious actors to seize control of the Nginx service. Named in code MCPwn by Pluto Security.
“The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message,” according to an advisory issued by the nginx-ui maintainers last month. “Although /mcp requires both IP authorization and authentication (AuthRequired() middleware), the /mcp_message endpoint only supports IP authorization — and the default IP whitelist is empty, which the middleware takes as ‘allow all.’
“This means that any network attacker can request all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic configuration reloads – achieving a complete takeover of the nginx service.”
According to Pluto Security researcher Yotam Perkal, who identified and reported the bug, the attack can make it easy to take over in seconds with two applications –
- An HTTP GET request to the /mcp endpoint to establish a session and get the session ID.
- An HTTP POST request to the /mcp_message endpoint uses the session ID to request any MCP tool without authentication
In other words, attackers can exploit this vulnerability by sending specially crafted HTTP requests directly to “/mcp_message” without headers or authentication tokens.
Successful exploitation of the bug may be able to enable them to invoke MCP tools and modify Nginx configuration files and reload the server. In addition, an attacker can use this loophole to capture all of the administrator’s traffic and harvest credentials.
Following responsible disclosure, the vulnerability was addressed in version 2.3.4, released on March 15, 2026. As a workaround, users are advised to add “middleware.AuthRequired()” to the end of “/mcp_message” to force authentication. Besides, it is advised to change the default behavior of IP listing from “allow-all” to “deny-all.”
This disclosure comes as Record Future, in a report published this week, listed CVE-2026-33032 as one of 31 vulnerabilities that were exploited by threat actors in March 2026. There is currently no information about the exploit activity associated with the security flaw.
“When you plug in MCP to an existing application, MCP endpoints take over the full power of the system but not its security controls. The result is a backdoor that bypasses all of the system’s carefully built authentication methods,” Perkal said.
Data from Shodan shows that there are about 2,689 cases exposed online, most of which are located in China, the US, Indonesia, Germany and Hong Kong.
“Given the approximately 2,600 publicly accessible nginx-ui instances our researchers identified, the vulnerability of an unpublished deployment is immediate and real,” Pluto told The Hacker News. “Organizations using nginx-ui should treat this as an emergency: update to version 2.3.4 immediately, or disable MCP functionality and restrict network access as a temporary measure.”
CVE-2026-33032 News follows the discovery of two security flaws in the Atlassian MCP server (“mcp-atlassian”) that could be exploited to achieve remote code execution. The flaws – tracked as CVE-2026-27825 (CVSS 9.1) and CVE-2026-27826 (CVSS 8.2) and named MCPwnfluence – enable any attacker on the same local network to execute arbitrary code on a vulnerable machine without requiring any authentication.
“If we bridge both vulnerabilities — we are able to send requests to the MCP from the LAN [local area network]redirect the server to the attacking machine, upload the attachment, and receive a full unauthorized RCE from the LAN,” Pluto Security said.
