An actively exploited critical nginx-ui flaw (CVE-2026-33032) lets attackers bypass authentication and take full control of Nginx servers.
A critical vulnerability in nginx-ui, tracked as CVE-2026-33032 (CVSS score of 9.8), is being actively exploited, allowing attackers to bypass authentication and fully take over Nginx servers. The issue stems from improper protection of the /mcp_message endpoint, which relies only on IP whitelisting. Since the default whitelist allows all, attackers can access the service without authentication and gain control.
“The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting – and the default IP whitelist is empty, which the middleware treats as “allow all”.” reads the advisory. “This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover.”
Yotam Perkal of Pluto Security discovered the nginx-ui flaw. The researcher pointed out that it can be exploited in seconds using just two HTTP requests.
“The attack flow: step 1 authenticates to get a session, step 2 uses that session to invoke destructive tools with zero authentication.” wrote Perkal. “An attacker on the same network as the nginx-ui instance needs just two requests:
POST /mcp_message?sessionId=xxx– Invoke any tool. Nonode_secret. No JWT. No cookies. Nothing.GET /mcp?node_secret=xxx– Establish an SSE session, get a sessionId”
A single unauthenticated request can let attackers fully compromise nginx-ui. They can intercept all traffic by redirecting it through malicious servers, capture admin credentials via manipulated logs, and gain persistent access by stealing tokens and secrets. Attackers can also map the entire infrastructure by reading configs and even shut down services by pushing invalid configurations.
The flaw was fixed in nginx-ui version 2.3.4 by adding a missing authentication check to the /mcp_message endpoint, just one line of code. The update also introduced a regression test to ensure both endpoints require authentication, which would have prevented the issue. Notably, some version trackers are incorrect: v2.3.3 is the last vulnerable release, while v2.3.4 includes the fix.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, nginx)
