Critical Nginx-ui MCP Flaw Actively Exploited in the Wild

A critical nginx-ui MCP flaw is being actively exploited, putting thousands of servers at risk. Tracked as CVE-2026-33032, this authentication bypass vulnerability carries a CVSS score of 9.8, making it one of the most severe threats currently facing system administrators. Discovered by Pluto Security, the flaw allows any network-adjacent attacker to take full control of an nginx server through a single unauthenticated API request.

Understanding the Nginx-ui MCP Flaw: Root Cause and Impact

So, what exactly went wrong? The vulnerability stems from a missing function call in the Model Context Protocol (MCP) implementation. Nginx-ui recently added MCP support, which splits communication across two HTTP endpoints. The /mcp endpoint properly includes both IP whitelisting and authentication middleware. However, the /mcp_message endpoint—which processes every tool invocation, including configuration writes and server restarts—shipped without any authentication check.

This omission exposes 12 MCP tools to unauthenticated callers. Seven of these are destructive, enabling attackers to inject nginx configurations, reload the server, and intercept all traffic passing through it. The remaining five provide reconnaissance capabilities, such as reading existing configs and mapping backend infrastructure. In other words, an attacker can silently take over your server and spy on your traffic.

Why This Nginx-ui MCP Flaw Demands Immediate Action

VulnCheck has already added the flaw to its Known Exploited Vulnerabilities (KEV) list. Meanwhile, Recorded Future’s Insikt Group independently flagged it in a recent report as one of 31 high-impact vulnerabilities exploited during March 2026, assigning it a risk score of 94 out of 100. These endorsements underscore the severity of the threat.

Pluto Security’s researchers used Shodan to identify over 2,600 publicly reachable nginx-ui instances across cloud providers including Alibaba Cloud, Oracle, and Tencent. Most were running on the default port 9000. The tool’s Docker image has been pulled more than 430,000 times, suggesting a much larger population of potentially vulnerable deployments sitting behind firewalls. Therefore, the actual number of at-risk instances could be significantly higher.

What Makes This Vulnerability Particularly Dangerous

This is the second MCP vulnerability Pluto Security has disclosed in recent weeks, following MCPwnfluence, an SSRF-to-RCE chain in the Atlassian MCP server. Both cases expose a recurring weakness: when MCP is connected to existing applications, its endpoints often inherit full capabilities without inheriting any of the security controls. As a result, a single missing check can compromise an entire system.

How to Protect Your Servers from the Nginx-ui MCP Flaw

The nginx-ui maintainers released a patch in version 2.3.4 just one day after disclosure. The fix amounted to 27 characters of added code, along with a regression test to prevent the same oversight from recurring. Organizations running nginx-ui with MCP enabled should take immediate action:

• Update to version 2.3.4 or later without delay.
• If patching is not possible, disable MCP functionality entirely.
• Restrict network access to the management interface using firewalls or VPNs.
• Review server logs and configuration directories for any unauthorized changes.

For more on securing your infrastructure, check out our guide on how to secure your nginx servers. Additionally, you may want to read about MCP security best practices to avoid similar pitfalls.

Conclusion: Act Now Before the Nginx-ui MCP Flaw Hits Your Network

Given the active exploitation and high CVSS score, this is not a vulnerability you can afford to ignore. The nginx-ui MCP flaw represents a clear and present danger to any organization using this popular web interface. By patching immediately, restricting access, and reviewing your logs, you can mitigate the risk. Remember, in the world of cybersecurity, a single missing line of code can open the door to disaster.