A critical flaw in Nginx UI that includes Model Context Protocol (MCP) support is being exploited “in the wild,” with attackers reportedly able to seize full control of nginx servers without authentication.
The problem is tracked as CVE-2026-33032. Misryoum newsroom reporting says it’s caused by nginx-ui leaving the ‘/mcp_message’ endpoint unprotected. That means a remote attacker can invoke privileged MCP actions without credentials, and because those actions can write and reload nginx configuration files, a single unauthenticated request can effectively change how the web server behaves.
Misryoum editorial desk noted the impact described in the National Vulnerability Database (NVD): “any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover,” Misryoum newsroom reporting adds.
NGNIX released a fix in version 2.3.4 on March 15—just a day after researchers at the AI workflow security company Pluto Security AI reported it. But the vulnerability identifier, along with technical details and a proof-of-concept (PoC) exploit, only surfaced at the end of the month. Then, according to Misryoum analysis, the issue moved from “fixed” to “actively used,” with a CVE Landscape report noting that CVE-2026-33032 is under active exploitation.
Nginx UI itself is a web-based management interface for the Nginx web server. Misryoum newsroom reporting points out that the project is widely used: more than 11,000 stars on GitHub and 430,000 Docker pulls. Misryoum editorial team also highlighted visibility into the exposed attack surface—based on Pluto Security’s internet scans using the Shodan engine, there are currently 2,600 publicly exposed instances potentially vulnerable. Those are mostly in China, the United States, Indonesia, Germany, and Hong Kong. It’s the kind of footprint that turns a software bug into something like a “tap left open” problem.
Misryoum newsroom reporting describes how exploitation works at a practical level: attackers can achieve the bypass by establishing an SSE connection, opening an MCP session, and then using the returned ‘sessionID’ to send requests to the ‘/mcp_message’ endpoint. From there, attackers can supposedly connect to the nginx-ui instance, send requests without any authentication headers, gain access to all 12 MCP tools (7 destructive), read nginx configuration files and exfiltrate them, inject a new nginx server block with malicious configuration, and trigger automatic nginx reload.
Pluto Security’s demo, according to Misryoum newsroom reporting, shows an attacker can use the unauthenticated MCP message endpoint to execute privileged nginx management actions, perform config injection, and ultimately take control of the nginx server—still without authentication. One small real-world moment: it’s easy to imagine an operator hearing the system fan spool up after a reload, thinking it’s just routine traffic… while it’s actually the web server being rewritten.
Given the active exploitation status and the availability of public PoCs, Misryoum editorial desk recommends administrators apply the available security updates as soon as possible. Misryoum newsroom reporting says the latest secure version of nginx-ui is 2.3.6, released last week. If you’re managing fleets with lots of exposed dashboards, this is one of those “check today” issues—because the path already exists, and attackers don’t need much more than network access to walk it.
Haiku heads to ARM: now you can boot it in QEMU
Grief and the Nonprofessional Programmer: when AI does the coding, what’s left?
Microsoft patches Copilot Studio prompt injection anyway data leaked