Nginx-UI Auth Bypass Under Active Exploit — 2,600 Servers at Risk

A critical authentication bypass in nginx-ui is being actively exploited to seize control of web servers. CVE-2026-33032 carries a CVSS score of 9.8 and allows unauthenticated attackers to invoke administrative functions—including rewriting nginx configurations and restarting services—without any credentials.

Pluto Security researchers who discovered the flaw have dubbed it "MCPwn," a reference to the Model Context Protocol integration that makes the attack possible. About 2,600 instances sit exposed on the internet, primarily in China, the United States, Indonesia, Germany, and Hong Kong.

TL;DR

• What happened: nginx-ui's MCP integration left an endpoint unprotected
• Who's affected: All nginx-ui versions prior to 2.3.4
• Severity: Critical (CVSS 9.8) — actively exploited
• Action required: Upgrade to version 2.3.4 or later immediately

How the Attack Works

The vulnerability stems from inconsistent authentication enforcement across nginx-ui's MCP endpoints. The /mcp endpoint requires both IP whitelisting and user authentication. The /mcp_message endpoint, however, only checks IP whitelisting—and the default whitelist is empty, which the middleware interprets as "allow all."

"When you bolt MCP onto an existing application, the MCP endpoints inherit the application's full capabilities but not necessarily its security controls," Yotam Perkal from Pluto Security explained.

Attackers exploit this gap in two steps. First, they establish a server-sent events (SSE) connection to obtain a session ID. Then they send requests to the unprotected /mcp_message endpoint, invoking any of the 12 available MCP tools—seven of which are destructive.

Those tools let attackers restart nginx, create or delete configuration files, and trigger automatic config reloads. A single unauthenticated request can modify server behavior and effectively hijack the web server.

Chaining with Backup Vulnerability

The exploitation becomes even easier when combined with CVE-2026-27944, a related flaw patched in version 2.3.3. That vulnerability exposed the /api/backup endpoint without authentication, leaking encryption keys in response headers and allowing attackers to download full system backups.

Those backups contain the node_secret parameter—the authentication key for establishing MCP sessions. With this secret extracted, attackers bypass even the session establishment step and jump straight to sending malicious commands.

Active Exploitation Confirmed

Recorded Future listed CVE-2026-33032 among 31 vulnerabilities that saw active exploitation in March 2026. This adds to what's already been a brutal month for patch management—Microsoft's April Patch Tuesday addressed 167 CVEs including an actively exploited SharePoint zero-day. The disclosure timeline for nginx-ui was tight: Pluto Security reported the flaw on March 14, and maintainers pushed a fix in version 2.3.4 on March 15. But detailed technical information and a working proof-of-concept emerged by late March, giving attackers a roadmap.

This mirrors the rapid exploitation we've seen with other web management tools. When researchers disclosed critical flaws in Flowise AI earlier this year, threat actors began scanning within hours of PoC availability. Management interfaces remain high-value targets because they offer direct control over infrastructure.

Who's Running nginx-ui?

nginx-ui is an open-source project by developer 0xJacky that provides a web-based interface for managing nginx servers. It handles configuration editing, SSL certificate management via Let's Encrypt, and server monitoring—tasks that would otherwise require command-line access.

The project has grown popular among administrators who want a graphical alternative to editing nginx configs by hand. That convenience comes with risk: exposing management interfaces to the internet creates exactly the attack surface exploited here.

Shodan scans by Pluto Security identified roughly 2,689 publicly accessible instances. The geographic distribution skews heavily toward Asia, with China hosting the largest share.

What to Do Now

Organizations running nginx-ui should treat this as an emergency. The patch has been available for a month, yet thousands of instances remain exposed.

Immediate steps:

1. Upgrade to nginx-ui version 2.3.4 or later (current release is 2.3.6)
2. Restrict access to nginx-ui using firewall rules or VPN
3. Review nginx configurations for unauthorized modifications
4. Rotate any credentials stored in nginx-ui backups

The vulnerability disclosure also revealed several other nginx-ui security issues fixed in recent versions, including configuration directory deletion (CVE-2026-33027), race conditions leading to data corruption (CVE-2026-33028), and denial-of-service via logrotate manipulation (CVE-2026-33029). Running the latest version addresses all of them.

Why This Matters

MCP integrations are appearing in more tools as developers add AI capabilities. The nginx-ui case shows what happens when those integrations skip authentication—a pattern likely to repeat as MCP adoption accelerates.

Nginx itself powers roughly 34% of all websites according to W3Techs. While nginx-ui is just one management interface, similar tools exist across the ecosystem. Administrators should audit any web-based management panels they've deployed, especially those exposed to the internet.

This is the second major nginx-related campaign we've tracked recently. In February, threat actors exploited React2Shell to hijack nginx configurations on over 1,000 servers, redirecting web traffic through attacker infrastructure. Web server management tools continue attracting attention because compromising them means controlling everything they manage.

For ongoing vulnerability coverage, see our security news section.