CVE-2026-33032 (MCPwn): Nginx-UI MCP Authentication Bypass Enables Full Web Server Takeover via Unauthenticated Tool Invocation
Date: 2026-05-01
TLP: TLP:CLEAR
Tags: malicious-tool, supply-chain
Executive Summary
CVE-2026-33032, a CVSS 9.8 authentication bypass in nginx-ui's MCP integration, has been actively exploited since mid-April 2026 after VulnCheck added it to its Known Exploited Vulnerabilities catalog on April 13. The /mcp_message endpoint is missing the AuthRequired() middleware, allowing any network-accessible attacker to invoke all 12 privileged MCP tools without credentials, achieving complete nginx server takeover in two HTTP requests. Approximately 2,600 publicly exposed nginx-ui instances were identified on Shodan at time of disclosure.
Campaign Summary
| Field | Detail |
|---|---|
| Campaign / Malware | MCPwn (CVE-2026-33032) |
| Attribution | Unknown, opportunistic mass exploitation (confidence: none) |
| Target | Organizations running nginx-ui web management interface |
| Vector | Unauthenticated HTTP requests to /mcp_message endpoint |
| Status | active |
| First Observed | 2026-03 |
Detailed Findings
Pluto Security researcher Yotam Perkal discovered CVE-2026-33032 in early March 2026 and filed responsible disclosure on March 14. The patch shipped in nginx-ui v2.3.4 on March 15, a one-line fix adding AuthRequired() middleware to the /mcp_message route. [Pluto Security]
nginx-ui is an open-source web interface for managing Nginx servers with 11,000+ GitHub stars and 430,000+ Docker pulls. In late 2025 the project added MCP support allowing AI assistants to manage nginx configurations. The implementation mounted two HTTP endpoints: /mcp with IP whitelisting and AuthRequired middleware, and /mcp_message with IP whitelisting only and no authentication. The default IP allowlist is empty, which the middleware interprets as "allow all." [Pluto Security]
An attacker sends an unauthenticated GET to /mcp to establish an SSE session and receive a sessionId. They then POST to /mcp_message?sessionId= with no authentication headers. The 12 exposed MCP tools include nginx_config_add with auto-reload, enabling config rewrite and service restart in a single call. [Picus Security]
Recorded Future confirmed active exploitation in March 2026. VulnCheck added CVE-2026-33032 to its KEV catalog on April 13, 2026. Rapid7 published detection coverage on April 16-17, 2026. Recorded Future ranked it among the 31 most-exploited CVEs of March 2026 with a risk score of 94/100. [Rapid7, Recorded Future]
A PurpleOps report published April 16 associated exploitation with chaining CVE-2026-27944, an information leak in /api/backup, allowing recovery of long-lived secrets from backups. [PurpleOps]
Shodan identified approximately 2,689 exposed instances, concentrated in China, the US, Indonesia, Germany, and Hong Kong. The current recommended version is nginx-ui 2.3.6, released April 8, 2026. [Rapid7]
MITRE ATT&CK Mapping
| Technique | ID | Context |
|---|---|---|
| Exploit Public-Facing Application | T1190 | Unauthenticated exploitation of /mcp_message endpoint to invoke privileged MCP tools |
| Server Software Component | T1505 | Attacker rewrites nginx configuration files to plant credential-harvesting pages or reverse proxy routes |
| Modify System Process | T1543 | MCP tools allow restarting and reconfiguring nginx service |
| Valid Accounts | T1078 | CVE-2026-27944 chaining recovers backup credentials for lateral movement |
IOCs
Domains
No domain, hash, or IP IOCs published by source. Exploitation is opportunistic mass scanning of exposed nginx-ui management interfaces.
Full URL Paths
No URL path IOCs published by source.
Splunk Format
"mcp_message" OR "nginx-ui" OR "/mcp_message"File Hashes
No file hash IOCs published by source.
Package Indicators
nginx-ui (versions <=2.3.5)Detection Recommendations
Monitor web proxy and WAF logs for unauthenticated POST requests to /mcp_message endpoints on nginx-ui management ports. Search EDR telemetry for nginx configuration file modifications outside of change management windows. Query Shodan or internal asset inventories for nginx-ui instances exposed on default management ports. Alert on nginx process restarts correlated with /mcp_message POST activity. Scan for CVE-2026-27944 indicators: unauthenticated GET requests to /api/backup endpoints.
References
- [Pluto Security] MCPwn: CVE-2026-33032 Nginx-UI Authentication Bypass (2026-03-14) — https://policylayer.com/attacks/mcpwn-auth-bypass
- [Rapid7] CVE-2026-33032: Nginx UI Missing MCP Authentication (2026-04-16) — https://www.rapid7.com/blog/post/etr-cve-2026-33032-nginx-ui-missing-mcp-authentication/
- [Picus Security] CVE-2026-33032 (MCPwn): How a Missing Middleware Call in nginx-ui Hands Attackers Full Web Server Takeover (2026-04) — https://www.picussecurity.com/resource/blog/cve-2026-33032-mcpwn-how-a-missing-middleware-call-in-nginx-ui-hands-attackers-full-web-server-takeover
- [NVD] CVE-2026-33032 (2026-03-30) — https://nvd.nist.gov/vuln/detail/CVE-2026-33032