Provenance Record

Well-structured News piece with clear Overview / What We Know / Why the MCP Angle Matters / What We Don't Know / Remediation sections. Technical depth is appropriate, word count (849) is within the News category band (400-1200). Prose is clean and the MCP-framing is genuinely insightful and distinct from straight incident reporting. Article uses inline hyperlinked citations well.

[{"url":"https://thehackernews.com/2026/04/critical-nginx-ui-vulnerability-cve.html","supported":"partial","notes":"Confirms CVE number, CVSS 9.8, MCPwn codename, Pluto Security as discoverer, researcher Yotam Perkal, the two-endpoint architecture (/mcp and /mcp_message), the 'allow all' default on empty IP allowlist, fix in 2.3.4 on March 15 2026, Shodan count of 2,689, and geographic distribution (China, US, Indonesia, Germany, Hong Kong). CRITICAL MISMATCH: THN explicitly says 'The session establishment step requires authentication' and that unauthenticated exploitation requires chaining CVE-2026-27944 to obtain the node_secret. The article's 'two unauthenticated HTTP requests' framing is not supported here — it is actually a chained-CVE scenario. THN also does NOT say 'seven of those tools are destructive' and does NOT call Pluto 'Israeli'. Fetched via Archive.org fallback (THN blocks direct fetch)."},{"url":"https://www.csoonline.com/article/4159248/critical-nginx-ui-tool-vulnerability-opens-web-servers-to-full-compromise.html","supported":"partial","notes":"Confirms Pluto Security discovery, NVD publication March 30 2026, same-day active-exploitation flagging by VulnCheck and Recorded Future's Insikt Group, MCP support added to nginx-ui in late 2025, Pluto's quoted claim of '12 MCP tools' and 'One unauthenticated API call is all it takes to inject a config and take over nginx', Shodan count 2,689, fix version 2.3.4 released March 15 2026, and recommended remediations (upgrade, disable MCP, restrict IP access, audit for unusual configuration changes). Does NOT support 'seven destructive tools' and does NOT identify Pluto Security as Israeli."},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-33032","supported":"yes","notes":"Confirms CVSS v3.1 9.8 CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), CWE-306 Missing Authentication for Critical Function, affected versions 'through 2.3.5 and all prior', published March 30 2026 (last modified April 16 2026), and description citing both /mcp and /mcp_message endpoints with /mcp_message enforcing only IP whitelisting (empty default treated as allow-all)."}]

Core facts (CVE number, CVSS, CWE, affected versions, fix version, NVD publication date, active exploitation, Shodan count, geographic distribution, MCPwn codename, discoverer, fix date) are correctly sourced and cross-confirmed. Three issues require correction: (1) The attack-chain narrative ('two unauthenticated HTTP requests', 'An attacker issues an unauthenticated GET to /mcp') contradicts the primary source (THN), which states the /mcp session establishment requires authentication and that unauthenticated exploitation depends on chaining CVE-2026-27944 to leak the node_secret. (2) 'Seven of those tools are destructive' is a specific count that appears in none of the three cited sources — both THN and CSO cite '12 MCP tools' but do not break out seven as destructive. (3) 'Israeli AI-security firm Pluto Security' is not supported by any cited source; THN and CSO identify Pluto Security without assigning nationality. The Anthropic / late 2024 MCP origin note is accurate historical background, but not present in the cited sources; either add a primary citation or accept that as widely-known context.

High-quality, well-structured technical news piece with strong framing of the MCP security angle. Close to publishable, but the attack-chain inaccuracy is material enough that it cannot go out as-is — and the two smaller unsourced specifics should be fixed at the same time. A focused rewrite of the 'What We Know' attack-flow paragraph plus the two small corrections should be enough to flip to APPROVE on re-review.