MCPwn Flaw in Nginx UI Becomes the First Major MCP Vulnerability Exploited in the Wild
A missing authentication check on a Model Context Protocol endpoint in nginx-ui exposes roughly 2,600 servers to full takeover, and unauthenticated exploitation is practical when paired with a second flaw that leaks a required node secret.
Overview
A critical authentication bypass in nginx-ui, an open-source web interface used to manage Nginx web servers, is being actively exploited to take over exposed instances. The flaw, tracked as CVE-2026-33032 and nicknamed MCPwn by its discoverers, sits inside nginx-ui’s recently added Model Context Protocol (MCP) integration, the same class of AI-tooling interface that has spread rapidly across developer tools over the past year. Security researchers say it is the first high-profile case of an MCP endpoint being weaponized at scale in the wild.
What We Know
The National Vulnerability Database assigns the flaw a CVSS v3.1 base score of 9.8, classifying it under CWE-306 “Missing Authentication for Critical Function.” According to the NVD entry, nginx-ui exposes two HTTP endpoints when MCP support is enabled, /mcp and /mcp_message, and the vulnerability affects versions 2.3.5 and prior. The record was published on March 30, 2026.
The technical root cause is a single missing middleware call. As The Hacker News reports, the /mcp endpoint is guarded by both IP allowlisting and an authentication middleware, but the /mcp_message endpoint, which actually dispatches the privileged MCP tool calls, only enforces IP allowlisting. The default IP allowlist is empty, and the middleware treats an empty list as “allow all,” leaving the endpoint reachable to any network host.
The session-establishment step on /mcp itself still requires authentication via a node_secret parameter, so the endpoint is not directly exposed to anonymous attackers. In practice, however, the secret is straightforward to recover. The Hacker News reports that unauthenticated exploitation is achieved by chaining a second flaw, CVE-2026-27944, an unauthenticated backup-disclosure bug in the /api/backup endpoint affecting nginx-ui versions prior to 2.3.3. Chaining the two lets an attacker download a full system backup, extract node_secret from it, open an MCP session against /mcp, and then POST to /mcp_message to invoke tool handlers directly without authentication headers. BleepingComputer describes the same end-to-end pattern: an SSE session opened on /mcp yields a session identifier that is replayed against /mcp_message to reach the vulnerable handler.
Once through, the attacker gains access to the full set of 12 MCP tools that nginx-ui exposes, seven of which are destructive, per BleepingComputer. The destructive operations include writing nginx configuration files, creating directories, renaming and enabling configs, and triggering automatic reloads or full restarts of the running server. Per The Hacker News, that capability lets an attacker intercept all traffic routed through the compromised Nginx, harvest administrator credentials, maintain persistent access, and enumerate infrastructure by reading existing configurations.
The flaw was reported by AI-security firm Pluto Security in early March, and the nginx-ui maintainers shipped a fix in version 2.3.4 on March 15, 2026, according to CSO Online. The same report notes that VulnCheck and Recorded Future’s Insikt Group observed active exploitation attempts the day the CVE appeared on the NVD. Pluto Security’s Shodan scans identified 2,689 internet-reachable nginx-ui instances running vulnerable versions, concentrated in China, the United States, Indonesia, Germany, and Hong Kong, as CSO Online reports.
Exploitation of the bug fits into a larger pattern of compressed disclosure-to-exploitation timelines that The Machine Herald has previously reported on. Here, the CVE was under active exploitation on the same day it hit the NVD, despite the patch having been public for two weeks.
Why the MCP Angle Matters
MCP, the Model Context Protocol, is an open standard for exposing tools, resources, and data to AI models and agents. It has been adopted by dozens of developer platforms and infrastructure tools, including nginx-ui, which added MCP support so that AI assistants could read and modify Nginx configurations through a structured protocol.
The MCPwn bug is not a flaw in the MCP specification itself, but in how nginx-ui wired an MCP server into its existing authentication plumbing. The consequence, though, is exactly the scenario AI-security researchers have been warning about as MCP adoption expands: tool-calling endpoints that expose privileged system operations are often added faster than the access controls around them, and when those endpoints are reachable over the network, a single middleware gap combined with a separate secret-leak bug exposes an entire class of high-impact actions. In this case, the MCP integration effectively gave remote attackers the same “write and reload nginx config” capability that a local administrator has, as long as a target also ran a sub-2.3.3 version exposing the backup endpoint.
What We Don’t Know
The public record leaves several gaps. Neither Pluto Security nor the threat intelligence vendors citing active exploitation have published attribution, and it remains unclear whether the observed activity is opportunistic mass scanning or targeted intrusions. The /mcp_message handler enables full configuration rewrites and service restarts, but there is no public inventory yet of how many of the roughly 2,600 exposed instances have actually been compromised, what payloads attackers are injecting, or whether traffic interception and credential theft are being carried out at scale.
There is also a small version-reporting discrepancy in the public record. The NVD lists versions 2.3.5 and prior as affected, while CSO Online and the maintainers’ advisory point to 2.3.4, released March 15, as the fix. Subsequent nginx-ui releases have shipped through 2.3.6, and some vendor advisories recommend moving directly to the latest version to avoid ambiguity.
Remediation
The immediate mitigation is to upgrade nginx-ui to a patched release, which also closes the /api/backup disclosure in CVE-2026-27944 for installs still on sub-2.3.3 builds. Organizations that cannot patch immediately are advised to disable the MCP integration entirely or to configure an explicit, non-empty IP allowlist so that /mcp_message is no longer reachable by arbitrary network hosts. Given that exploitation is ongoing and that a successful attack yields full control over the Nginx instance, defenders should also audit existing nginx-ui deployments for unexpected configuration changes, unfamiliar server blocks, and recent reloads.