Critical MCP Integration Flaw Puts NGINX at Risk

Attackers are actively exploiting a critical flaw in the widely used nginx-ui interface for managing NGINX web servers.

The flaw, tracked as CVE-2026-33032, (CVSS: 9.8) stems from nginx-ui’s insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases.

An Authentication Failure

The maintainers of the open source project have released a fixed version of nginx-ui (v2.3.4) after researchers at Pluto Security reported the vulnerability to them in early March.

Many organizations and developers use nginx-ui to centralize the management of NGINX configurations through a web-based interface rather than manually editing configuration files. The project has garnered more than 11,000 GitHub stars and some 430,000 Docker pulls, both of which are indications of its popularity and visibility within the developer and DevOps community. Recent versions of nginx-ui, like many modern applications, support MCP to let external tools and AI agents directly manage NGINX configurations.

Related:Adobe Patches Actively Exploited Zero-Day That Lingered for Months

Pluto Security’s researchers found that the nginx-ui’s MCP message endpoint, or the URL (/mcp_message), which handled command execution requests, performed no authentication at all. This meant an attacker who could reach it could issue arbitrary administrative commands and directly control nginx-ui’s management functions without providing valid credentials.

The vulnerability, according to nginx-ui maintainers, allows any network attacker to “invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads — achieving complete nginx service takeover.”

Pluto found in nginx-ui’s MCP flow, a client first connects to its MCP endpoint (/mcp) to establish a session and receive a session ID, which was then used to send commands via a separate /mcp_message endpoint. Session establishment via /mcp required authentication through a so-called node_secret to ensure only trusted clients could initiate MCP sessions in the first place.

But even that protection was weakly implemented because the secret itself was a static Universally Unique Identifier (UUID) generated at first boot and stored in plaintext as a shared secret rather than as a per-user credential, says Yotam Perkal, director of security research at Pluto. So, in theory while the authentication was intended to restrict access to MCP sessions, in practice it provided little security value.

Related:Can Anthropic Keep Its Exploit-Writing AI Out of the Wrong Hands?

Retrieving the node_secret was also often trivial, Perkal says, thanks to a separate vulnerability in nginx-ui (CVE-2026-27944), which exposed backups containing app.ini and decryption keys. Once an attacker retrieved the node_secret, they could establish an MCP session and then issue any commands through /mcp_message without further authentication, effectively enabling full control of the nginx-ui-managed NGINX environment.

Similarly, an IP whitelist protection on nginx-ui’s /mcp message endpoint defaults to empty, allowing connections from any IP. That means remote attackers can exploit the vulnerability, Perkal says. “We identified over 2,600 publicly exposed nginx-ui instances via Shodan, all reachable on the default port 9000,” he says. “For any of those running a version before 2.3.3, the full chain (unauthenticated backup download + MCP takeover) required zero credentials and zero network proximity.”

For those who might have updated to v2.3.3 — the version that patched the previous CVE-2026-27944 flaw — an attack would likely require the threat actor to have some kind of prior access to the local network, he adds.

Potentially Severe Consequences

“Because NGINX typically sits as a reverse proxy in front of production services, compromising its configuration means compromising everything behind it,” Perkal says. “An attacker exploiting this gets full control over the NGINX configuration.” In a worst case scenario, an attacker could rewrite server blocks to proxy all traffic through an attacker-controlled endpoint, capturing every request, response, and credential in transit, he says.

Related:AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties

They could also write an invalid configuration and trigger a reload that takes NGINX down, along with every application and API behind it. The vulnerability also enables full architecture reconnaissance, including the ability to read all existing configurations, and view back-end topology, upstream servers, TLS certificate paths, and internal service addresses, Perkal notes.

The vulnerability is another example of the new risks and exposures that are surfacing as organizations add MCP support to existing applications to enable easier interaction with AI agents. Researchers in recent months have unearthed multiple vulnerabilities in the protocol itself, as well as in the numerous MCP servers that have begun proliferating on the Web.

“When you add MCP to an existing application, you’re exposing the application’s most powerful operations through new HTTP endpoints,” Perkal says. “The core application might have years of battle-tested authentication — JWTs, session management, RBAC — but MCP endpoints are new, and it’s easy to miss one,” he says.

The HTTP streaming mechanism that MCP uses is especially tricky because it splits communication across two endpoints. “Developers intuitively protect the ‘connection’ endpoint but not the ‘message'” endpoint where the actual destructive operations happen,” Perkal noted. “Teams should not assume the same security posture the application has applies to MCPs it uses.”

Don’t miss the latest Dark Reading Confidential podcast, Security Bosses Are All in on AI: Here’s Why, where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven’t) been, and what the future holds for AI security products. Listen now!