A critical authentication bypass vulnerability (CVE-2026-33032) in Nginx UI's Model Context Protocol (MCP) endpoint is being actively exploited in the wild. The '/mcp_message' endpoint is left unprotected, allowing unauthenticated attackers to invoke all MCP tools, modify nginx configuration files, and achieve full server takeover. With 2,600 publicly exposed instances and a public PoC available, admins are urged to upgrade to nginx-ui version 2.3.6 immediately. The flaw carries a CVSS score of 9.8 and was patched in version 2.3.4 on March 15, 2026.
Table of contents
Related Articles:Sort: