TP-2026-0057 critical AI Draft C

NGINX UI MCP Endpoint Authentication Bypass (CVE-2026-33032) Exploited in the Wild

Date March 28, 2026
Attack Type Vulnerability exploitation Sector Technology / web infrastructure
Geography Global
Threat Actor Unknown
Attribution A4
CVEs CVE-2026-33032
Confidence C

Summary

CVE-2026-33032 is an authentication bypass vulnerability in NGINX UI’s Model Context Protocol (MCP) integration. The GitHub security advisory GHSA-h6c2-x2m2-mwhf describes how the /mcp_message endpoint enforced only an IP whitelist check, while the adjacent /mcp endpoint enforced both IP whitelist and authentication. Because the default whitelist shipped empty, every network-accessible NGINX UI instance was reachable by any host without credentials.

Recorded Future’s March 2026 CVE landscape identified CVE-2026-33032 as actively exploited during March 2026. Pluto Security’s April 2026 write-up described the vulnerability mechanics with a CVSS score of 9.8 and reported that exploitation was confirmed by both VulnCheck KEV and Recorded Future. Risky.Biz’s Risky Bulletin also reported the NGINX UI MCP endpoint bug as exploited in the wild. The fixed release, v2.3.4, became available on 2026-03-15. No named threat actor has been confirmed in the cited sources.

Technical Analysis

NGINX UI’s MCP integration exposed two HTTP endpoints: /mcp and /mcp_message. According to the GitHub advisory, /mcp enforced both an IP whitelist and authentication, but /mcp_message enforced only the IP whitelist. The project shipped with the whitelist empty by default, meaning the effective access control on /mcp_message was none: any host could reach the endpoint and invoke MCP tools without supplying credentials.

The MCP tools exposed through this path included actions capable of reading and modifying nginx configuration and affecting nginx service state. The GitHub advisory characterises the issue as allowing a network attacker to invoke these tools without authentication.

Pluto Security described a CVSS base score of 9.8, consistent with network-accessible attack vector, no required privileges, no user interaction, and high potential impact across confidentiality, integrity, and availability. The vulnerability is not characterised as a zero-day in the cited sources; the patch preceded the public exploitation reports.

Attack Chain

Stage 1: Discovery of an Exposed NGINX UI Instance

An attacker identifies an internet-facing NGINX UI deployment running a version prior to v2.3.4. The default empty IP whitelist means /mcp_message accepts requests from any source address.

Stage 2: Unauthenticated Request to /mcp_message

The attacker submits HTTP requests to /mcp_message without supplying authentication. The endpoint’s missing authentication check allows the request to proceed to the MCP tool layer.

Stage 3: MCP Tool Invocation Against Nginx

Through the unprotected endpoint the attacker invokes available MCP tools. The GitHub advisory describes the reachable tool set as including actions that affect nginx configuration and nginx service state, enabling modification of the managed nginx deployment.

Timeline

2026-03-15 — Patch Released

NGINX UI v2.3.4 became available, addressing CVE-2026-33032 by correcting the missing authentication check on /mcp_message. (Pluto Security)

March 2026 — Active Exploitation Observed

Recorded Future’s March 2026 CVE landscape identified CVE-2026-33032 as actively exploited during the month.

2026-04-15 — Pluto Security Publishes MCPwn Analysis

Pluto Security published its write-up describing the vulnerability mechanics, the CVSS 9.8 framing, and independent confirmation of exploitation through VulnCheck KEV and Recorded Future.

2026-04-17 — Risky.Biz Risky Bulletin Coverage

Risky.Biz’s Risky Bulletin reported the NGINX UI MCP endpoint bug as exploited in the wild, citing external technical reporting.

Impact Assessment

The direct impact of a successful exploit is attacker control over nginx configuration and service state on any NGINX UI deployment running a vulnerable version with the default empty IP whitelist. The GitHub advisory describes the reachable MCP tool set as including nginx config modification and service-state actions, which can affect availability and introduce further configuration-level access paths on the managed nginx instance.

The cited sources do not provide confirmed victim counts or document post-exploitation pivot chains beyond the scope of the NGINX UI process. Pluto Security’s exposure context is stated cautiously, so the documented impact remains bounded to remote administrative control over vulnerable NGINX UI deployments and the nginx instances they manage.

Attribution

No named threat actor was confirmed in the sources reviewed. Recorded Future’s March 2026 CVE landscape placed CVE-2026-33032 in the actively exploited category without assigning the activity to a known intrusion set. Pluto Security and Risky.Biz similarly reported exploitation without actor attribution.

Attribution remains Unknown. Confidence is A4 — insufficient evidence in the cited sources to link observed exploitation activity to a specific named actor or group.

Remediation & Mitigation

Update NGINX UI to v2.3.4 or later, which corrects the authentication bypass on the /mcp_message endpoint. If immediate patching is not possible, restrict network access to the NGINX UI interface and configure the IP whitelist to permit only trusted management hosts; even with the whitelist populated, patching remains the authoritative fix.

Operators should audit access logs for unexpected requests to /mcp or /mcp_message endpoints, and review recent nginx configuration changes made through the UI for any unauthorised modifications. Instances that ran the default empty-whitelist configuration during March 2026 should be treated as potentially exposed until patched and reviewed.

Sources & References

nginx-uimcpauthentication-bypassunauthenticatedweb-infrastructurevulnerability-exploitationcvss-9-8