Actively Exploited nginx-ui Flaw (CVE-2026-33032) Enables Full Nginx Server Takeover
تنبيه خطير: ثغرة MCPwn (CVE-2026-33032) مستغلة حالياً فهجمات نشطة
Critical Alert: MCPwn Vulnerability (CVE-2026-33032) Under Active Exploitation
TL;DR
A critical authentication bypass vulnerability in nginx-ui (CVE-2026-33032), codenamed MCPwn, is being exploited in the wild. With a maximum CVSS score of 9.8, the flaw allows unauthenticated attackers to seize full control of Nginx servers by abusing the Model Context Protocol (MCP) integration. Users must update to version 2.3.4 immediately to prevent service takeover and data theft.
Overview of CVE-2026-33032
Security researchers at Pluto Security have identified a catastrophic flaw in nginx-ui, a popular open-source web-based management tool for Nginx. Labeled as CVE-2026-33032 and dubbed MCPwn, the vulnerability allows threat actors to bypass authentication mechanisms and manipulate Nginx configuration files, restart services, and intercept traffic.
The vulnerability stems from the tool's integration of the Model Context Protocol (MCP). While the management interface was designed with security controls, the MCP endpoints fail to properly inherit these protections, effectively creating a backdoor into the server's core functionality.
The Technical Breakdown: How "MCPwn" Works
According to a technical advisory, the nginx-ui MCP integration exposes two specific HTTP endpoints:
/mcp(Requires authentication and IP whitelisting)/mcp_message(Requires only IP whitelisting)
The "critical" failure lies in the default configuration of the /mcp_message endpoint. The default IP whitelist is empty, and the system’s middleware interprets an empty whitelist as "allow all."
The Attack Chain
Pluto Security researcher Yotam Perkal discovered that a full takeover can be achieved in seconds via a two-step request process:
- Session Establishment: The attacker sends an HTTP GET request to the
/mcpendpoint to obtain a session ID. While this step requires authentication, it can be bypassed by chaining a second vulnerability (CVE-2026-27944, CVSS 9.8). This secondary flaw allows unauthenticated users to download full system backups from the/api/backupendpoint and extract thenode_secretrequired for MCP authentication. - Command Execution: Using the session ID and the stolen
node_secret, the attacker sends an HTTP POST request to the/mcp_messageendpoint. This allows them to invoke any MCP tool without further authentication.
Impact: Complete Service Takeover
Once an attacker gains access to the MCP tools, they have nearly unlimited control over the Nginx environment. Threat actors can:
- Create, modify, or delete Nginx configuration files.
- Trigger automatic configuration reloads.
- Restart the Nginx service.
- Intercept web traffic to harvest administrator credentials and SSL private keys.
Perkal warns that this is a classic case of security regression: "The MCP endpoints inherit the application’s full capabilities but not necessarily its security controls... bypassing every authentication mechanism the application was carefully built with."
Active Exploitation and Global Exposure
Recorded Future has confirmed that CVE-2026-33032 is among 31 vulnerabilities actively exploited by threat actors as of March 2026. While specific details on the attackers' identities have not been disclosed, the scale of the threat is significant.
Data from Shodan indicates approximately 2,689 exposed instances of nginx-ui currently active on the internet. The highest concentrations of vulnerable servers are located in:
- China
- United States
- Indonesia
- Germany
- Hong Kong
Remediation and Mitigation
The maintainers of nginx-ui released version 2.3.4 on March 15, 2026, to address this flaw.
Immediate Actions for Administrators:
- Update: Upgrade nginx-ui to version 2.3.4 or later immediately.
- Apply Workarounds: If updating is not immediately possible, manually add
middleware.AuthRequired()to the/mcp_messageendpoint. - Restrict Access: Change the IP allowlisting default behavior from "allow-all" to "deny-all" and restrict network access to the management interface.
Pluto Security urges organizations to treat this as an emergency, noting that "the risk to unpatched deployments is immediate and real."
Conclusion
The discovery of MCPwn highlights the emerging security risks associated with integrating new protocols like MCP into existing infrastructure. As threat actors continue to weaponize authentication bypasses and backup-related vulnerabilities, maintaining a strict "deny-all" default security posture and rapid patching cycles remains the only effective defense.
