https://pluto.security/blog/mcp-bug-nginx-security-vulnerability-cvss-9-8
A critical authentication bypass vulnerability in Nginx UI, tracked as CVE-2026-33032, is now being actively exploited in the wild, allowing remote attackers to seize complete control of web servers without any credentials. The flaw stems from the /mcp_message endpoint being left entirely unprotected, enabling any network-accessible attacker to invoke privileged Model Context Protocol (MCP) actions — including restarting Nginx, creating or modifying configuration files, and triggering automatic config reloads. Exploitation requires nothing more than network access: an attacker establishes an SSE connection, opens an MCP session, and uses the returned session ID to send unauthenticated requests directly to the exposed endpoint, gaining access to all 12 MCP tools, seven of which are destructive in nature.
Pluto Security AI, the firm that discovered and reported the flaw on March 14, published a proof-of-concept exploit and technical details at the end of that month, shortly after Nginx UI released a patch in version 2.3.4 the following day. The vulnerability has since been flagged as under active exploitation by threat intelligence firm Recorded Future in its CVE Landscape report. The risk is compounded by Nginx UI’s widespread adoption, with the project boasting over 11,000 GitHub stars and 430,000 Docker pulls. Internet scans conducted by Pluto Security via Shodan have identified approximately 2,600 publicly exposed and potentially vulnerable instances, concentrated primarily across China, the United States, Indonesia, Germany, and Hong Kong.
System administrators running Nginx UI are strongly urged to update immediately as no mitigations or workarounds have been identified. With public proof-of-concept code already circulating and active exploitation confirmed, the window for unpatched systems to avoid compromise is rapidly narrowing. Administrators should also audit their Nginx configurations for signs of tampering, given that attackers can silently inject malicious server blocks and trigger reloads without leaving obvious traces of initial access.