MCPwn: CVSS 9.8 Auth Bypass in nginx-ui Delivers Full Nginx Takeover in Two HTTP Requests
Pluto Security published 'MCPwn' — a two-CVE chain in nginx-ui that lets an unauthenticated attacker control all Nginx configuration in two requests. It is the first major exploit of an MCP endpoint in a production system, with 2,689 instances exposed.
A critical vulnerability chain in nginx-ui — the open-source web-based Nginx management interface — allows an unauthenticated attacker to take full control of a server’s Nginx configuration in two HTTP requests. Researchers at Pluto Security published the details under the name “MCPwn.”
Two CVEs: CVE-2026-33032 (CVSS 9.8) and CVE-2026-27944 (CVSS 9.8). The nickname comes from the attack’s entry point: an MCP (Model Context Protocol) endpoint added to nginx-ui to allow AI agents to manage Nginx configurations — the first major exploit of an MCP implementation in production software.
How the Attack Works
nginx-ui’s MCP support exposes an /mcp_message endpoint. The endpoint was intended to be protected by IP whitelisting — but the default whitelist is empty, meaning the effective access policy is “allow all.” No authentication. No session token. No API key required.
The two-step chain:
- Hit the backup endpoint (CVE-2026-27944) with no credentials to extract the
node_secrettoken from the response. - Use the extracted
node_secretto issue arbitrary MCP commands via/mcp_message.
With that access, an attacker can restart Nginx, create and delete virtual host configurations, modify upstream routing rules, trigger full config reloads, or insert malicious proxy directives. In effect: complete control over all traffic flowing through the server.
Active Exploitation
Pluto Security confirmed exploitation activity beginning April 13. Recorded Future’s threat intelligence team independently documented active scanning and exploitation in the wild. ShadowServer’s continuous scanning currently tracks approximately 2,689 publicly reachable nginx-ui instances — a significant portion of which remain unpatched as of publication.
The attack requires no authentication and no special tooling. Any HTTP client can execute it in under a second.
The MCP Angle
This is the first major documented exploitation of an MCP implementation in a production system. The Model Context Protocol standard was designed for AI agent interoperability, and adoption has accelerated rapidly — nginx-ui is among dozens of tools that added MCP endpoints in late 2025 and early 2026 to ship an “AI-compatible” feature.
The attack pattern here is generic: an MCP endpoint with a default-allow access policy, because the developers treated the AI integration layer as a management convenience rather than a security boundary. Pluto Security has stated they are reviewing other tools that added MCP support in the same period. Expect more findings.
The Fix
Upgrade to nginx-ui 2.3.4, released March 15, 2026. The patch removes unauthenticated access to /mcp_message and the backup endpoint, requiring valid session authentication for both.
If you are running any version of nginx-ui prior to 2.3.4, treat the server as potentially compromised and rotate credentials. Check your Nginx access logs and nginx-ui logs for unexpected requests to /mcp_message or /api/system/backup from sources outside your infrastructure.
The patch command:
# Pull the latest nginx-ui release from GitHub
# https://github.com/0xJacky/nginx-ui/releases/tag/v2.3.4The MCP integration era is just beginning. Tools that rushed MCP endpoints into production to claim AI compatibility are carrying the same architectural mistakes nginx-ui made. This will not be the last MCP CVE.