Full Report
A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild. The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security. "
Analysis Summary
# Vulnerability: MCPwn - Critical nginx-ui Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-33032
- **CVSS Score:** 9.8 (Critical)
- **CWE:** Improper Authentication / Fail-open Access Control
## Affected Systems
- **Products:** nginx-ui (Open-source web-based Nginx management tool)
- **Versions:** All versions prior to v2.3.4
- **Configurations:** Systems using the Model Context Protocol (MCP) integration.
## Vulnerability Description
The flaw resides in the implementation of the MCP integration within nginx-ui. While the `/mcp` endpoint requires both IP whitelisting and authentication, the `/mcp_message` endpoint was found to only apply IP whitelisting. By default, the IP whitelist was empty; the middleware interpreted this empty state as "allow all."
Technically, an attacker can obtain a session ID from the `/mcp` endpoint and then use that ID to send unauthorized POST requests to `/mcp_message`. This bypass allows the invocation of all MCP tools, which possess the authority to modify Nginx configurations, restart services, and reload the server.
## Exploitation
- **Status:** Exploited in the wild (Reported as active in March 2026)
- **Complexity:** Low (Can be executed in seconds via two HTTP requests)
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Ability to intercept traffic and harvest administrator credentials)
- **Integrate:** High (Complete control over Nginx configuration files)
- **Availability:** High (Ability to restart, modify, or delete the Nginx service)
## Remediation
### Patches
- **Update to v2.3.4 or later:** This version fixes the default IP whitelisting logic and ensures proper authentication middleware is applied.
### Workarounds
- **Manual Middleware Update:** Manually add `middleware.AuthRequired()` to the `/mcp_message` endpoint in the source code to force authentication.
- **Access Control:** Change the default IP allowlisting behavior from "allow-all" to "deny-all" within the application settings or via external firewall rules (ACLs).
## Detection
- **Indicators of Compromise:**
- Unexpected POST requests to the `/mcp_message` endpoint from unauthorized or external IP addresses.
- Unauthorized changes to Nginx configuration files (`nginx.conf` or site-available files).
- Unscheduled Nginx service reloads or restarts.
- **Detection Methods:** Monitor web server access logs for GET requests to `/mcp` followed by POST requests to `/mcp_message` without corresponding authentication tokens.
## References
- **Vendor Advisory:** hxxps[://]github[.]com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf
- **GitHub Release:** hxxps[://]github[.]com/0xJacky/nginx-ui/releases/tag/v2.3.4
- **Researcher Blog (Pluto Security):** hxxps[://]pluto[.]security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8/
- **Original Article:** hxxps[://]thehackernews[.]com/2026/04/critical-nginx-ui-vulnerability-cve.html