CriticalPublic exploit

MCPwn: Unauthenticated MCP takeover in Nginx UI

IdentifiersCVE-2026-33032CWE-306· Missing Authentication for…

CVE-2026-33032 is a critical missing-authentication vulnerability in Nginx UI's Model Context Protocol (MCP) integration affecting versions 2.3.5 and earlier. The application exposes two MCP-related HTTP endpoints, /mcp and /mcp_message. The /mcp endpoint is protected by both IP allowlisting and authentication via AuthRequired() middleware, but /mcp_message only enforces IP allowlisting. Because the default IP whitelist is empty and treated as allow-all, remote attackers can reach /mcp_message without authentication. This design flaw allows unauthenticated invocation of MCP tools that perform privileged Nginx management operations, including restarting nginx, creating/modifying/deleting configuration files, and triggering automatic reloads. Public reporting also describes exploitation via establishing an MCP/SSE session and then sending tool invocations to /mcp_message using the returned session identifier.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation enables complete takeover of the managed Nginx service. An attacker can alter or replace Nginx configuration, reload malicious changes, restart the service, read configuration for reconnaissance, redirect or proxy traffic, capture credentials or authorization material via malicious logging or proxy rules, disrupt service by deploying invalid configurations, and potentially gain persistent administrative control over traffic handling for applications behind Nginx. Multiple sources in the provided content state the vulnerability is being actively exploited in the wild.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable MCP functionality if it is not required, restrict network exposure to Nginx UI, and explicitly configure the IP whitelist to trusted management hosts only rather than relying on the empty default. Limit access to the management interface behind VPN or other administrative network controls, monitor for unexpected Nginx configuration changes and reloads/restarts, and review logs for suspicious requests to /mcp and /mcp_message. Because the flaw is reportedly under active exploitation and the default behavior is effectively fail-open, internet exposure should be treated as high risk.

Remediation

Patch, then assume compromise.

Upgrade Nginx UI to a fixed release. The provided content consistently states the vulnerability was fixed in version 2.3.4, and also references 2.3.6 as a latest secure release; in any case, affected deployments should move off 2.3.5 and earlier to the vendor-fixed version or newer. The fix adds authentication enforcement to /mcp_message and regression coverage to ensure both MCP endpoints require authentication. If authoritative vendor version guidance differs across sources, follow the vendor advisory for the exact minimum patched version.

PUBLIC EXPLOITS

Exploits

1 valid exploit after Mallory filtered fakes, detection scripts, and README-only repos (2 hidden).

VALID 1 / 3 TOTALView more in app

CVE-2026-33032-nginx-ui-vuln-labMaturityPoCVerified exploit

This repository is a self-contained Docker lab and Python exploit demonstrating a chained zero-credential compromise of nginx-ui. The main exploit is exploit/exploit.py, which performs two stages: first, it abuses unauthenticated GET /api/backup to download an encrypted backup and recover the AES key/IV from the X-Backup-Security header, then decrypts nginx-ui.zip and parses app.ini to extract the [node] Secret. Second, it uses that secret to open an SSE session on /mcp, recover a sessionId, and then invoke privileged MCP tools through unauthenticated POST /mcp_message requests. The intended post-exploitation action is nginx takeover by overwriting default.conf so traffic is proxied to http://malicious_site:80, followed by reload_nginx to make the change live immediately. A reset path restores proxying to http://webapp:80. Repository structure supports the demo: docker-compose.yml launches a vulnerable uozi/nginx-ui:v2.3.1 instance on ports 8080 and 9000, a legitimate webapp container, and a malicious phishing container. nginx-ui/app.ini contains the lab configuration, including an empty Node.IPWhiteList and a node secret. nginx/conf.d/default.conf is the initial legitimate reverse-proxy config. webapp/index.html is the benign login page, while malicious/index.html is a phishing clone with a client-side credential capture panel exposed via ?debug=1 for demonstration. Overall, this is a real exploit repository rather than a detector: it automates credential-less secret extraction, privileged MCP access, configuration overwrite, and live nginx reload to redirect victim traffic.

ShredaDisclosed Apr 17, 2026pythonhtmlwebnetwork

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

NginxuiNginx Uiapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

91 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

91 SOURCESView more in app

nuclei templates pull requestsNews

May 16, 2026

feat: add CVE-2026-33032 Nginx UI MCP unauth takeover template by kakashi963 · Pull Request #16183 · projectdiscovery/nuclei-templates · GitHub

An unauthenticated takeover vulnerability affecting Nginx UI MCP, referenced in a pull request/title context.

osint team blogNews

May 8, 2026

Uncovering FIRESTARTER: Ongoing Cisco ASA Compromise Despite Patch Deployment | by Criminal IP | May, 2026 | OSINT Team

Referenced only as a related article about nginx-ui MCPwn; no substantive vulnerability details are provided in the content.

infosec writeupsNews

Apr 21, 2026

CVE-2026-33032: allows Nginx server takeover | by Om Maniya | Apr, 2026 | InfoSec Write-ups

A critical vulnerability in nginx-ui that can allow attackers to take full control of Nginx servers, reportedly via abuse of the /mcp and /mcp_message endpoints and session handling in the SSE-based management workflow.

ca ccsNews

Apr 16, 2026

Nginx UI security advisory (AV26-360) - Canadian Centre for Cyber Security

A critical vulnerability affecting Nginx UI version v2.3.5 and prior that has reportedly been exploited in the wild.

+7 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity79

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-33032

NVD

nvd.nist.gov/vuln/detail/CVE-2026-33032

MITRE CWE · CWE-306

Missing Authentication for Critical Function

Vendor Advisory

github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf

websec.net

websec.net/blog/cve-2026-33032-unauthenticated-nginx-ui-mcp-takeover-69e1200f9fceb1f3fbe9c47f