### Active Exploitation of CVE-2026-33032 A critical security flaw in **nginx-ui**, an open-source web interface for managing **Nginx** servers, is under active exploitation. The vulnerability, **CVE-2026-33032** (CVSS score: 9.8), is an authentication bypass that allows attackers to gain complete control over the **Nginx** service. **Pluto Security** has dubbed the vulnerability **MCPwn**. ### Technical Details The **nginx-ui** MCP (Model Context Protocol) integration exposes two HTTP endpoints: `/mcp` and `/mcp_message`. According to an advisory, while `/mcp` requires both IP whitelisting and authentication, the `/mcp_message` endpoint only enforces IP whitelisting. The default IP whitelist is empty, which the middleware interprets as 'allow all.' This means any network attacker can invoke all MCP tools without authentication, including restarting **Nginx**, creating, modifying, or deleting **Nginx** configuration files, and triggering automatic config reloads, thus achieving complete **Nginx** service takeover. ### Attack Vector According to **Pluto Security** researcher Yotam Perkal, the attack can facilitate a full takeover in seconds via two requests: * An HTTP GET request to the `/mcp` endpoint to establish a session and obtain a session ID. * An HTTP POST request to the `/mcp_message` endpoint using the session ID to invoke any MCP tool without authentication.  Successful exploitation could enable attackers to modify **Nginx** configuration files and reload the server. Furthermore, an attacker could intercept all traffic and harvest administrator credentials. ### Mitigation The vulnerability was addressed in version 2.3.4, released on March 15, 2026. Users are advised to upgrade immediately. As workarounds, users can add `middleware.AuthRequired()` to the `/mcp_message` endpoint to force authentication, or change the IP allowlisting default behavior from 'allow-all' to 'deny-all.' ### Exploitation in the Wild **Recorded Future** listed **CVE-2026-33032** as one of the 31 vulnerabilities actively exploited by threat actors in March 2026. Currently, there are no detailed insights on specific exploitation activity. ### Exposed Instances Data from **Shodan** indicates approximately 2,689 exposed instances on the internet, primarily located in China, the U.S., Indonesia, Germany, and Hong Kong. **Pluto Security** advises organizations running **nginx-ui** to treat this as an emergency: update to version 2.3.4 immediately, or disable MCP functionality and restrict network access as an interim measure. ### Related Vulnerabilities This disclosure follows the discovery of two security flaws in the **Atlassian** MCP server ("mcp-atlassian") that could be chained to achieve remote code execution. The flaws – tracked as **CVE-2026-27825** (CVSS 9.1) and **CVE-2026-27826** (CVSS 8.2) and dubbed MCPwnfluence – enable any attacker on the same local network to run arbitrary code on a vulnerable machine without authentication. Chaining both vulnerabilities allows attackers to send requests to the MCP from the LAN, redirect the server to the attacker's machine, upload an attachment, and then receive a full unauthenticated RCE from the LAN, according to **Pluto Security**.