A critical unauthenticated vulnerability in nginx-ui’s Model Context Protocol (MCP) allows attackers to invoke privileged actions via the /mcp_message endpoint to modify and reload Nginx configuration, enabling full server takeover. The flaw (CVE-2026-33032) is being actively exploited in the wild with public PoCs available, and administrators are urged to upgrade to nginx-ui 2.3.6 or apply the released fix immediately. #CVE-2026-33032 #nginx-ui
Keypoints
- An unauthenticated flaw in nginx-ui’s /mcp_message endpoint (CVE-2026-33032) lets attackers invoke MCP actions.
- Attackers can write and reload Nginx configuration, inject malicious server blocks, and achieve complete Nginx service takeover.
- Exploitation requires only network access by establishing an SSE connection, opening an MCP session, and using the returned sessionID.
- Public proof-of-concept exploits exist and the vulnerability is under active exploitation, so urgent patching is recommended.
- Pluto Security identified about 2,600 potentially exposed instances worldwide; upgrade to nginx-ui 2.3.6 or apply the fix from 2.3.4 immediately.