16.04.2026
4 min
213
Researchers have discovered a critical vulnerability in Nginx UI that allows attackers to gain complete control over a server without authorization. The issue is already a major concern because its exploitation requires no complex steps and can be performed remotely.
To begin with, a serious vulnerability has already been spotted by cybercriminals in one of the most widely-used free web-server interfaces — nginx-ui.
It has a designation CVE-2026-33032 (CVSS rating 9.8) and gives full rights to access and manage a Nginx server.
The bug relates to how the “Model Context Protocol” was implemented in nginx-ui. There are two HTTP endpoints in nginx-ui — /mcp and /mcp_message. The former is designed to be protected using both IP-filtering and authentification. However, the latter uses IP-filtering exclusively. By default this filter is set up to let everyone through (“allow all”) and therefore someone on the local network can use it without being authenticated at all.
As the developers themselves noted: “this provides access to all MCP tools”. Therefore, the criminal will have the ability to restart nginx, edit or remove configuration files and start a self-restart process. It means that he/she has complete access to the service.
Yotam Perkal, a Pluto Security researcher who identified the issue demonstrated how quickly the attack can take place. It involves simply sending two different HTTP-requests:
A GET request to /mcp in order to create a new session and receive its ID
A POST request to /mcp_message with reference to this ID so that the attacker could activate whatever functionality exists within the MCP tools (which he does not need to authenticate himself).
Therefore, it is sufficient to make special HTTP-requests without additional headers and/or tokens in order to bypass the security features.
When a successful attack occurs, the attacker’s possibilities of actions extend far beyond changing configurations. He/She can intercept traffic and steal administrator credentials, which would provide him/her with opportunity to perform further intrusions into the system.
The vulnerability has been corrected in version 2.3.4 of nginx-ui, published on March 15, 2026. Users who have not yet performed updates should either apply additional authentication to /mcp_message or modify IP-filtering behavior from “allow all” to “deny all”.
It is worth noting that this vulnerability was one of those actively utilized in March 2026. According to Recorded Future, it is listed among the 31 vulnerabilities that were exploited by attackers; however, there is no detailed information available regarding specific attacks yet.
“ When MCP gets integrated into an existing system, endpoints obtain all of its abilities, however they do not necessarily inherit security mechanisms. This results in a backdoor that bypasses protection”, said Perkal.
Shodan estimates that there are approximately 2,600–2700 instances of nginx-ui accessible via the Internet. Most of them are located in China, USA, Indonesia, Germany and Hong Kong. Thus, for users who did not install a patch, their exposure to potential risks remains high.
Pluto Security considers current circumstances as very dangerous for companies. Organizations are urged to immediately install patches or temporarily shut down MCP and limit external access to servers.
On this basis, another issue concerning MCP has recently become apparent. Two vulnerabilities were detected in Atlassian MCP Server. Together they enable an attacker who resides on a local network to redirect the server, transmit malicious content and acquire total control over the server regardless of whether any authentication has taken place. These vulnerabilities have names CVE-2026-27825 and CVE-2026-27826 and jointly the name MCPwnfluence.
Researchers claim that by utilizing these vulnerabilities in combination with each other an attacker can transmit any content (malicious or otherwise) into the server’s memory space and then execute it.
Overall, all these examples illustrate a simple truth: even one minor error in an organization’s access logic may lead to creation of a fully operational backdoor that grants an attacker full access to a given system.
