Identity, Vulnerability Management, Patch/Configuration Management, AI/ML, Application security

Nginx-ui MCP missing authentication flaw actively exploited

A missing authentication flaw in nginx-ui’s Model Context Protocol (MCP) implementation is being actively exploited in the wild, Pluto Security warned Wednesday.

Nginx-ui is a popular open-source web interface for managing nginx web servers, with more than 11,000 GitHub stars and 430,000 Docker pulls.

Pluto Security discovered that when nginx-ui added MCP support, allowing AI tools to access nginx-ui’s functionalities, a new HTTP endpoint was created that lacked crucial authentication protection.

The POST /mcp_message endpoint, which receives JSON-RPC tool invocations allowing for key actions such as the creation and modification of nginx configuration files, included an IP whitelist check but lacked an authentication check, allowing unauthenticated requests to go through.

Additionally, the IP whitelist is empty by default and works on a “fail-open” basis, meaning all IPs are allowed as long as the whitelist has no entries. This flaw is tracked as CVE-2026-33032 and has a CVSS score of 9.8.

Related reading:

Pluto found that only the GET /mcp endpoint, which opens the initial Server-Sent Events (SSE) stream for MCP connections, contained a proper AuthRequired() check, meaning network attackers with access to a session ID could make tool calls without any further authentication.

This exposes nginx servers to potential takeover, as nginx-ui’s MCP implementation grants access to critical actions including config file creation with auto-reload of nginx, config file modification and nginx restart.

Pluto noted an attacker could leverage this access to create a proxy that intercepts all traffic through the server, inject access_log directives that capture administrators’ authorization headers and ultimately forge admin tokens to escalate privileges and take control of the server.

Additionally, the flaw could be exploited to read existing nginx config files for reconnaissance, or to conduct a denial of service (DoS) attack by writing an invalid configuration file that triggers a crash.

The flaw was discovered and reported by Pluto Security in early March and first fixed in nginx-ui v2.3.4 on March 15, 2026, with a CVE assigned on March 28. Recorded Future’s Insikt Group first reported active exploitation of CVE-2026-33032 in its March 2026 CVE Landscape report, and VulnCheck added the flaw to its Known Exploited Vulnerabilities list on April 13.

Pluto recommended users of nginx-ui update immediately to version 2.3.4 or later and review their nginx logs for unexpected configuration changes. If a patch can’t be immediately applied, users can add trusted hosts to the IP whitelist to counteract the default fail-open configuration.

The researchers noted that this vulnerability continued a trend of MCP implementation weaknesses the company has observed, including the creation of new endpoints with missing authentication.

“The takeaway for anyone integrating MCP into an existing application: every endpoint in the MCP transport must inherit your full authentication stack,” Pluto Security said.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationBiometricsBugCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Common Gateway Interface (CGI)Digest AuthenticationDigital CertificateDisassemblyDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds