Critical Nginx-Ui MCP Flaw Actively Exploited in the Wild

The newly disclosed CVE‑2026‑33032 highlights a systemic risk in the Model Context Protocol (MCP) integration within nginx‑ui, an open‑source interface that many enterprises use to manage high‑traffic web servers. By omitting authentication on the /mcp_message endpoint, the flaw bypasses the IP‑whitelisting and login checks that protect the /mcp endpoint, effectively turning a single HTTP request into a root‑level command channel. This design oversight underscores the importance of rigorous code review when extending legacy tools with new communication layers.

Threat intelligence firms quickly flagged the vulnerability as a high‑impact, actively exploited vector. Pluto Security’s Shodan sweep uncovered more than 2,600 exposed instances, many running on the default port 9000 across Alibaba Cloud, Oracle, and Tencent. The Docker image for nginx‑ui has been pulled over 430,000 times, suggesting a far larger hidden population behind firewalls. Recorded Future’s risk score of 94 out of 100 and VulnCheck’s inclusion of the flaw on its Known Exploited Vulnerabilities list signal that attackers are already weaponizing the bypass to inject malicious configurations, reload services, and harvest traffic data.

Mitigation is straightforward but urgent. Administrators should upgrade to nginx‑ui version 2.3.4 or later, which adds the missing authentication call in just 27 characters of code. Where patching is delayed, disabling MCP functionality or isolating the management interface with network ACLs can block exploitation. This incident also serves as a cautionary tale for developers integrating MCP or similar protocols: new endpoints must inherit existing security controls, or they become high‑value attack surfaces that can compromise entire infrastructures.