Critical MCP Integration Flaw Puts NGINX at Risk

The open‑source nginx‑ui project has become a de‑facto console for managing NGINX reverse proxies, boasting more than 11,000 GitHub stars and half‑a‑million Docker pulls. Its appeal lies in the Model Context Protocol (MCP), which lets external tools and emerging AI agents issue configuration commands through a web UI. While MCP promises automation, the protocol splits communication across two HTTP endpoints—/mcp for session initiation and /mcp_message for command delivery. In nginx‑ui this split created a blind spot: the message endpoint was left without any authentication checks, opening a direct path to the server’s core control plane.

8‑rated flaw that allows any network attacker to invoke MCP commands without credentials. By first harvesting the static node_secret—exposed by a separate CVE‑2026‑27944 backup leak—an adversary can establish a session and then issue arbitrary actions such as restarting NGINX, editing configuration files, or triggering reloads. Shodan scans revealed more than 2,600 publicly reachable nginx‑ui instances on the default port 9000, meaning the attack chain can be executed with zero proximity for unpatched versions. The potential fallout includes full traffic interception, credential harvesting, and service denial across entire application stacks.

4, which hardens the /mcp_message endpoint and enforces proper secret handling. Organizations should also enforce network segmentation, restrict IP access, and rotate node_secret values regularly. Beyond this specific bug, the incident underscores a broader security challenge: adding MCP or similar AI‑driven interfaces to legacy applications often bypasses established authentication and RBAC mechanisms. Vendors and DevOps teams must treat new protocol endpoints as first‑class attack surfaces, conduct thorough threat modeling, and adopt continuous monitoring to prevent similar supply‑chain compromises.