Critical Vulnerability in Nginx-UI Exposed: Thousands of Instances at Risk
In a significant security incident, a critical authentication bypass flaw in nginx-ui, a widely used open-source web interface for managing nginx servers, has been discovered and exploited in the wild. The vulnerability, identified as CVE-2026-33032, has garnered a high severity rating with a CVSS score of 9.8. This alarming discovery was made by the security firm Pluto Security, which noted that the flaw allows any network-adjacent attacker to gain complete control over an nginx server through the execution of a single unauthenticated API request.
In light of these developments, VulnCheck has included the vulnerability in its Known Exploited Vulnerabilities (KEV) list. Furthermore, Recorded Future’s Insikt Group has also identified the flaw in a recent report, categorizing it alongside 30 other significant vulnerabilities that were actively exploited during March 2026. The Insikt Group assigned a risk score of 94 out of 100, underscoring the seriousness of the threat posed by this weakness.
Underlying Cause: Missing Middleware Allows Full Access
The root underlying issue of this vulnerability stems from a single missing function call within the nginx-ui framework. Recently, nginx-ui integrated support for the Model Context Protocol (MCP), facilitating communication across two separate HTTP endpoints. The first endpoint, known as /mcp, is responsible for establishing connections and includes IP whitelisting and some authentication middleware to enhance security. However, the second endpoint, /mcp_message, which handles all tool invocations—such as configuration writes and server restarts—was inexplicably released without any authentication check.
This oversight has dire implications, exposing 12 MCP tools to unauthenticated callers. Among these, seven tools possess destructive capabilities, allowing attackers to inject malicious nginx configurations, reload the server, and intercept traffic flowing through it. The remaining five tools offer reconnaissance capabilities, enabling potential intruders to read existing configurations and map out the backend infrastructure of the vulnerable servers.
For those seeking deeper insights into similar risks associated with MCP, further resources can be found in a report highlighting the vulnerabilities of hundreds of MCP servers, which are at risk of remote code execution (RCE) and data leaks.
A Large Attack Surface: Thousands of Instances at Risk
Researchers at Pluto Security reported that they used Shodan, a search engine for Internet-connected devices, to identify over 2,600 publicly accessible nginx-ui instances distributed across various cloud providers, including Alibaba Cloud, Oracle, and Tencent. Alarmingly, most of these instances were found operating on the default port 9000, raising concerns about unauthorized access. Given that the tool’s Docker image has been pulled more than 430,000 times, it is clear that a significantly larger number of potentially vulnerable deployments may exist behind firewalls, posing an even greater risk.
In response to the discovery of this critical vulnerability, the maintainers of nginx-ui moved swiftly to release a patch in version 2.3.4, issued just one day after the vulnerability was disclosed. The fix was relatively straightforward, consisting of merely 27 characters of added code, accompanied by a regression test aimed at preventing any recurrence of this oversight in the future.
Recommended Actions for Affected Organizations
Organizations that utilize nginx-ui with MCP functionality enabled are urged to take immediate and decisive action to mitigate the associated risks. Security experts recommend the following steps to safeguard their systems:
-
Update to Version 2.3.4 or Later: Ensure that all instances of nginx-ui are updated to the latest version to incorporate the security patch.
-
Disable MCP Functionality If Patching Is Not Feasible: For those unable to apply the update right away, disabling the MCP functionality altogether is advised to eliminate the risk of exploitation.
-
Restrict Network Access: Tightening access controls to the management interface can help reduce the potential for unauthorized access.
- Conduct Security Audits: Organizations should thoroughly review server logs and configuration directories to identify any unauthorized changes that might have occurred as a result of the vulnerability.
This incident marks the second MCP vulnerability publicly disclosed by Pluto Security in recent weeks. The first, known as MCPwnfluence, involved a server-side request forgery (SSRF) converting into remote code execution (RCE) vulnerabilities within the Atlassian MCP server. Both incidents highlight a troubling trend: when MCP is integrated with existing applications, its endpoints frequently inherit full capabilities without appropriate security safeguards in place. As cyber threats continue to evolve, organizations must remain vigilant and proactive in addressing such vulnerabilities.