A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication.
The flaw, tracked as CVE-2026-33032, is caused by nginx-ui leaving the ‘/mcp_message’ endpoint unprotected, allowing remote attackers to invoke privileged MCP actions without credentials.
Because those actions involve writing and reloading nginx configuration files, a single unauthenticated request can modify server behavior and effectively take over the web server.
“[…] any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover,” reads NIST’s descripion of the flaw in the National Vulnerability Database (NVD).
NGNIX released a fix for the flaw in version 2.3.4 on March 15, a day after researchers at the AI workflow security company Pluto Security AI reported it. However, the vulnerability identifier, along with technical details and a proof-of-concept (PoC) exploit, emerged at the end of the month.
In the CVE Landscape report earlier this week, threat intelligence company Recorded Future notes that CVE-2026-33032 is under active exploitation.
Nginx UI is a web-based management interface for the Nginx web server. The library is very popular, with more than 11,000 stars on GitHub and 430,000 Docker pulls.
Based on Pluto Security’s internet scans using the Shodan engine, there are currently 2,600 publicly exposed instances potentially vulnerable to attacks. Most are in China, the United States, Indonesia, Germany, and Hong Kong.
In a report today, Pluto Security’s Yotam Perkal says that exploitation only requires network access and is achieved by establishing an SSE connection, opening an MCP session, and then using the returned ‘sessionID’ to send requests to the ‘/mcp_message’ endpoint.
Source: Pluto Security
From there, attackers can invoke MCP tools without authentication and take the following actions:
- Connect to the target nginx-ui instance
- Send requests without any authentication headers
- Gain access to all 12 MCP tools (7 destructive)
- Read nginx configuration files and exfiltrate them
- Inject a new nginx server block with malicious configuration
- Trigger automatic nginx reload
Pluto Security’s demo shows that an attacker can use the unauthenticated MCP message endpoint to execute privileged nginx management actions, perform config injection, and ultimately take control of the nginx server, all without authentication.
Given the active exploitation status and the availability of public PoCs, system administrators are recommended to apply the available security updates as soon as possible. The latest secure version of nginx-ui is 2.3.6, released last week.
Automated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the other.
This whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic questions for any tool evaluation.
