nginx-ui MCP Endpoint Missing Authentication (CVE-2026-33032) Exploited in the Wild, No Patch Available
Contents
If you’re self-hosting nginx-ui, act now. CVE-2026-33032 (CVSS 9.8) is an authentication bypass in nginx-ui, an open-source tool for managing nginx through a web browser. Active exploitation has been confirmed as of April 2026, and no patch is available yet.
The vulnerability was discovered by yotampe of Pluto Security and has been dubbed “MCPwn.”
A Shodan survey found roughly 2,600 to 2,689 instances exposed to the internet, concentrated in China, the US, Indonesia, Germany, and Hong Kong.
What is nginx-ui?
nginx-ui is an open-source tool that provides a web-based management interface for nginx. It allows editing, adding, and deleting nginx configuration files, starting/stopping/restarting nginx, managing certificates (with Let’s Encrypt integration), syntax highlighting for configs, and real-time access log viewing—all from a browser. It’s written in Go and listens on port 9000 by default. It’s used by everyone from individual VPS owners to teams managing shared infrastructure.
In the affected 2.x series, MCP (Model Context Protocol, designed by Anthropic) integration was added. This feature lets AI agents operate nginx as a tool, but its endpoint implementation had a critical flaw.
Technical Details
Authentication Asymmetry Between Endpoints
nginx-ui v2.3.5 and earlier exposes two MCP-related HTTP endpoints:
| Endpoint | IP Whitelist | Authentication (AuthRequired) |
|---|---|---|
/mcp | Applied | Required |
/mcp_message | Applied | None |
Both endpoints call the same handler, mcp.ServeHTTP(). This means accessing /mcp_message completely bypasses the authentication required by /mcp.
IP Whitelist “Fail-Open” Behavior
The other control layer, the IP whitelist, also has a fatal default value problem. When the whitelist is empty (the default state), the middleware permits all traffic.
// IP whitelist middleware implementation (simplified)
if len(settings.AuthSettings.IPWhiteList) == 0 {
c.Next() // Empty list = allow all IPs
return
}As a result, instances running with default settings have no IP restrictions, no authentication, and their /mcp_message endpoint is accessible to anyone on the internet.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Attack Vector (AV): Network (remote)
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): None
- Confidentiality (C) / Integrity (I) / Availability (A): All High
A CVSS v3.1 score of 9.8 only occurs when the combination of no authentication, network-reachable, no user interaction, and full takeover capability all align.
MCP Tools Available to Attackers
The following MCP tools can be invoked without authentication via /mcp_message:
| Category | Tool Name | Operation |
|---|---|---|
| Config Management | nginx_config_add | Create new config files |
| Config Management | nginx_config_modify | Modify existing configs |
| Config Management | nginx_config_delete | Delete config files |
| Config Management | nginx_config_rename | Rename files |
| Config Management | nginx_config_read | Read configs (leaks backend topology) |
| Directory Operations | directory_create | Create directories |
| Service Control | nginx_restart | Restart nginx |
| Service Control | nginx_reload | Apply config changes immediately |
| Monitoring | Status check | Retrieve service status |
By combining these, an attacker can:
- Insert reverse proxy rules to intercept and tamper with HTTP traffic
- Read internal backend server addresses and topology from config files
- Push intentionally broken configs to take nginx offline
- Delete legitimate configs to destroy services
Example Attack Chain
graph TD
A[Attacker] -->|JSON-RPC 2.0 request<br/>port 9000| B[/mcp_message endpoint]
B -->|IP whitelist empty<br/>= allow all| C[Authentication check skipped]
C -->|Call nginx_config_add| D[Inject malicious config]
D -->|Call nginx_reload| E[Apply config immediately]
E --> F[Traffic interception<br/>credential theft]
E --> G[Backend topology leaked]
E --> H[Service disruption<br/>config destruction]A real attack starts with a single JSON-RPC 2.0 request. No authentication headers needed, no user interaction required—if the instance is publicly accessible, it can be exploited immediately from the outside.
Current Status and GitHub Advisory
The vulnerability was published on March 28, 2026 as a GitHub Security Advisory (GHSA-h6c2-x2m2-mwhf).
As of this writing (April 16, 2026), no patch exists. Both CISA (the US Cybersecurity and Infrastructure Security Agency) and VulnCheck have confirmed active exploitation.
The code change required for a fix is straightforward: add AuthRequired() middleware to the /mcp_message route.
// Fixed routing (example)
r.Any("/mcp_message", middleware.IPWhiteList(), middleware.AuthRequired(), handler)Additionally, the default behavior when the IP whitelist is empty should be changed from “allow all” to “deny all.” The current fail-open design misleads operators who rely on the IP whitelist as a defense layer.
Mitigations
Until a patch is released, consider the following measures.
Immediate Action
If nginx-ui is directly exposed to the internet, block external access to port 9000 at the firewall immediately.
The management interface should only be accessible via VPN or from the local network.
Disable MCP Endpoints
If nginx-ui’s settings allow disabling MCP integration, turn it off. If you’re not using AI agents to operate nginx, there’s no reason to expose the endpoint.
Network Isolation
Check whether your instances are publicly visible on Shodan or Censys.
Having management tool ports directly bound to a public IP is high risk regardless of this specific vulnerability.
Log Audit
Assume that compromise may have already occurred and check nginx-ui access logs for suspicious POST requests to /mcp_message.
Cross-reference past access records with config file change history to look for unintended modifications.
MCP server security issues have been flagged repeatedly.
A scan of 50 open-source MCP servers found input validation missing in 61% of them—the “forgot to add authentication to the endpoint” class of bug is not unique to nginx-ui.
When adopting tools with MCP integration, it’s worth checking exposed endpoints and authentication yourself.