A missing authentication middleware on a single HTTP endpoint is all it takes. Attackers are already exploiting this critical flaw in the wild — here's everything you need to know.
What happened
A critical authentication bypass vulnerability in nginx-ui — a popular open-source, web-based management interface for Nginx — is being actively exploited in the wild. Discovered by Yotam Perkal of Pluto Security and tracked as CVE-2026-33032, the flaw has been dubbed MCPwn and carries a near-perfect CVSS score of 9.8.
The root cause is deceptively simple: the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints — /mcp and /mcp_message. While /mcp is protected by both IP whitelisting and authentication middleware, /mcp_message only enforces IP whitelisting. And the default IP whitelist is empty — which the middleware interprets as "allow all."
"This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating, modifying, and deleting nginx configuration files." — nginx-ui maintainers, security advisory
How the attack works
Exploitation requires just two HTTP requests and can achieve a full nginx service takeover in seconds:
Send an HTTP GET request to /mcp to establish a session and retrieve a session ID.
Send an HTTP POST request to /mcp_message with the session ID to invoke any MCP tool — with zero authentication headers or tokens required.
From here, an attacker can modify any Nginx configuration file, reload the server, and — critically — intercept all proxied traffic to harvest administrator credentials.
Scope and exposure
Shodan data reveals approximately 2,689 publicly reachable nginx-ui instances on the internet. The highest concentrations are in China, the United States, Indonesia, Germany, and Hong Kong. Recorded Future listed CVE-2026-33032 among 31 vulnerabilities actively exploited by threat actors in March 2026.
"When you bolt MCP onto an existing application, the MCP endpoints inherit the application's full capabilities but not necessarily its security controls. The result is a backdoor that bypasses every authentication mechanism the application was carefully built with." — Yotam Perkal, Pluto Security
Immediate action required
- Update nginx-ui to version 2.3.4 (released March 15, 2026) — the only complete fix.
- If you cannot update immediately, add
middleware.AuthRequired()to the/mcp_messageendpoint manually. - Change the IP allowlist default behavior from allow-all to deny-all as an interim measure.
- Restrict network access to your nginx-ui instance to trusted IP ranges only.
- Audit your Nginx configurations and access logs for signs of unauthorized modification.
The broader MCP security problem
MCPwn is not an isolated incident. Pluto Security also disclosed two chained vulnerabilities in the Atlassian MCP server (mcp-atlassian), tracked as CVE-2026-27825 (CVSS 9.1) and CVE-2026-27826 (CVSS 8.2) and dubbed MCPwnfluence. When chained, they allow any local network attacker to redirect the MCP server, upload an arbitrary attachment, and achieve full unauthenticated remote code execution — all from the LAN.
The pattern is clear: MCP integrations are being bolted onto applications without inheriting their security posture. As MCP adoption accelerates across the industry, teams must treat MCP endpoints with the same rigor as any authenticated API surface — because attackers already are.
nginx-ui versions prior to 2.3.4 are vulnerable. The patch was released on March 15, 2026. No workaround is fully equivalent to upgrading.