## Unauthenticated Takeover via Nginx UI The vulnerability, **CVE-2026-33032**, exists because **nginx-ui** leaves the `/mcp_message` endpoint unprotected. This allows remote attackers to invoke privileged MCP actions without authentication. Because these actions involve writing and reloading **Nginx** configuration files, a single unauthenticated request can modify server behavior, effectively granting complete control over the web server. > "[...] any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover,” reads **NIST's** description of the flaw in the National Vulnerability Database (NVD). ## Patch Released, Exploitation in the Wild **NGINX** released a fix for the flaw in version 2.3.4 on March 15th, a day after researchers at **Pluto Security AI** reported it. However, the vulnerability identifier, along with technical details and a proof-of-concept (PoC) exploit, emerged at the end of the month. In a recent CVE Landscape report, threat intelligence company **Recorded Future** notes that **CVE-2026-33032** is currently under active exploitation. **Nginx UI** is a popular web-based management interface for the **Nginx** web server, boasting over 11,000 stars on GitHub and 430,000 Docker pulls. ## Exposure and Attack Vectors According to **Pluto Security's** internet scans using the **Shodan** engine, approximately 2,600 publicly exposed instances are potentially vulnerable. The majority of these are located in China, the United States, Indonesia, Germany, and Hong Kong. In a report, **Pluto Security's** Yotam Perkal details that exploitation requires only network access. It involves establishing a Server-Sent Events (SSE) connection, opening an MCP session, and then using the returned `sessionID` to send requests to the `/mcp_message` endpoint.  From this point, attackers can invoke MCP tools without authentication to: * Connect to the target nginx-ui instance * Send requests without any authentication headers * Gain access to all 12 MCP tools (7 destructive) * Read nginx configuration files and exfiltrate them * Inject a new nginx server block with malicious configuration * Trigger automatic nginx reload **Pluto Security's** demo illustrates how an attacker can leverage the unauthenticated MCP message endpoint to execute privileged nginx management actions, perform config injection, and ultimately gain control of the **Nginx** server, all without authentication. ## Mitigation Given the active exploitation and the public availability of PoCs, system administrators are strongly advised to apply the available security updates immediately. The latest secure version of **nginx-ui** is 2.3.6, released last week.