INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ATTENTION: This report is based on previous data. New intelligence sources have been linked and the Executive Summary and Mitigations need to be re-synthesized.
Critical Nginx UI auth bypass flaw now actively exploited in the wild
| 2026-04-15 13:00 CRITICAL MEDIUMExecutive Summary AI-generated
The critical Nginx UI auth bypass flaw has been actively exploited in the wild, allowing remote attackers to invoke privileged MCP actions without credentials. This vulnerability enables full server takeover without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. The flaw is caused by nginx-ui leaving the '/mcp_message' endpoint unprotected, making it possible for attackers to invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads.
Technical Mitigations AI-generated
* Implement a secure authentication mechanism for all Nginx UI instances, including Model Context Protocol (MCP) support, to prevent unauthorized access and changes to server configurations.
* Regularly update and patch the nginx-ui library to ensure that any known vulnerabilities or exploits are addressed before they can be used by attackers.
* Use a web application firewall (WAF) or intrusion detection system (IDS) to monitor and block suspicious traffic patterns, reducing the risk of unauthorized access and attacks on Nginx UI instances.
* Implement network segmentation and isolation techniques to limit the reach of potential attackers and prevent them from exploiting vulnerabilities in Nginx UI instances.
Technical Observables
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
CVE-2026-27826CVE-2026-27826
CVE-2026-27825CVE-2026-27825
CVE-2026-27944CVE-2026-27944
CVE-2026-33032CVE-2026-33032
Target & Sectors
NORTH_AMERICA
NORTH_AMERICA
DACH
DACH
Incident Timeline
March 15, 2026
Threat actors exploited the Critical Nginx UI auth bypass flaw in version 2.3.4 by using it to target an unknown entity on March 15, 2026.
Click on any entity below to view its context and source!
infrastructure
2.3.4
Following responsible disclosure, the vulnerability was addressed in
version 2.3.4
, released on March 15, 2026.
March 15, a day
Researchers at Pluto Security AI reported a critical Nginx UI auth bypass flaw in version 2.3.4 on March 15.
Click on any entity below to view its context and source!
infrastructure
2.3.4
NGNIX released a fix for the flaw in version 2.3.4 on March 15, a day after researchers at the AI workflow security company Pluto Security AI reported it.
organisation
NGNIX
NGNIX released a fix for the flaw in version 2.3.4 on March 15, a day after researchers at the AI workflow security company Pluto Security AI reported it.
organisation
Pluto Security AI
NGNIX released a fix for the flaw in version 2.3.4 on March 15, a day after researchers at the AI workflow security company Pluto Security AI reported it.
March 2026
Threat actors have been actively exploiting a critical Nginx UI auth bypass flaw since March 2026.
Click on any entity below to view its context and source!
organisation
Recorded Future's Insikt Group
Recorded Future's Insikt Group independently flagged it in a
recent report
as one of 31 high-impact vulnerabilities exploited during March 2026, assigning it a risk score of 94 out of 100.
general_metric
31 impact vulnerabilities
Recorded Future's Insikt Group independently flagged it in a
recent report
as one of 31 high-impact vulnerabilities exploited during March 2026, assigning it a risk score of 94 out of 100.
"
The disclosure comes as Recorded Future, in a report
published
this week, listed CVE-2026-33032 as one of the 31 vulnerabilities that have been actively exploited by threat actors in March 2026.
vulnerability
CVE-2026-33032
"
The disclosure comes as Recorded Future, in a report
published
this week, listed CVE-2026-33032 as one of the 31 vulnerabilities that have been actively exploited by threat actors in March 2026.
organisation
Recorded Future
"
The disclosure comes as Recorded Future, in a report
published
this week, listed CVE-2026-33032 as one of the 31 vulnerabilities that have been actively exploited by threat actors in March 2026.
2026/03/16
Threat actors exploited the Critical Nginx UI auth bypass flaw by using the /mcp and /mcp_message HTTP endpoints.
Click on any entity below to view its context and source!
organisation
MCP
"The nginx-ui
MCP
(Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message," according to an
advisory
released by nginx-ui maintainers last month.
2026/04/08
The latest secure version of nginx-ui, 2.3.6, was released last week and is now actively exploited in the wild by threat actors targeting systems with this vulnerable software.
Click on any entity below to view its context and source!
infrastructure
2.3.6
The latest secure version of nginx-ui is
2.3.6, released last week
.
Apr 15, 2026
Threat actors have discovered and are actively exploiting a critical vulnerability in the Nginx web server's User Interface authentication module.
2026/04/15
Threat actors used a critical Nginx UI auth bypass flaw to exploit the SSE (Session Establishment) vulnerability in the wild.
Click on any entity below to view its context and source!
organisation
Pluto Security's
In a
report
today, Pluto Security's Yotam Perkal says that exploitation only requires network access and is achieved by establishing an SSE connection, opening an MCP session, and then using the returned ‘sessionID’ to send requests to the ‘/mcp_message’ endpoint.
organisation
SSE
In a
report
today, Pluto Security's Yotam Perkal says that exploitation only requires network access and is achieved by establishing an SSE connection, opening an MCP session, and then using the returned ‘sessionID’ to send requests to the ‘/mcp_message’ endpoint.
2026/04/15
The Nginx UI interface for managing NGINX web servers has a critical flaw that allows attackers to bypass authentication and take control of the server without credentials.
Click on any entity below to view its context and source!
organisation
TLS
The vulnerability also enables full architecture reconnaissance, including the ability to read all existing configurations, and view back-end topology, upstream servers, TLS certificate paths, and internal service addresses, Perkal notes.
organisation
CVE-2026-33032
The vulnerability, tracked as CVE-2026-33032 with a CVSS score of 9.8, was discovered by Pluto Security and allows any network-adjacent attacker to take full control of an nginx server through a single unauthenticated API request.
The vulnerability in question is CVE-2026-33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service.
The flaw, tracked as CVE-2026-33032, is caused by nginx-ui leaving the ‘/mcp_message’ endpoint unprotected, allowing remote attackers to invoke privileged MCP actions without credentials.
organisation
CVSS
The vulnerability, tracked as CVE-2026-33032 with a CVSS score of 9.8, was discovered by Pluto Security and allows any network-adjacent attacker to take full control of an nginx server through a single unauthenticated API request.
organisation
Pluto Security
The vulnerability, tracked as CVE-2026-33032 with a CVSS score of 9.8, was discovered by Pluto Security and allows any network-adjacent attacker to take full control of an nginx server through a single unauthenticated API request.
An Authentication Failure
The maintainers of the open source project have released a fixed version of nginx-ui (v2.3.4) after researchers at Pluto Security
reported the vulnerability
to them in early March.
organisation
API
The vulnerability, tracked as CVE-2026-33032 with a CVSS score of 9.8, was discovered by Pluto Security and allows any network-adjacent attacker to take full control of an nginx server through a single unauthenticated API request.
Related:
AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties
They could also write an invalid configuration and trigger a reload that takes NGINX down, along with every application and API behind it.
organisation
Actively Exploited
Actively Exploited nginx-ui Flaw (CVE-2026-33032)
organisation
MCP
The flaw, tracked as
CVE-2026-33032
,
(CVSS: 9.8) stems from nginx-ui's insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases.
Missing Middleware, Full Access
The root cause comes down to a single missing function call: nginx-ui recently added support for the Model Context Protocol (MCP), which splits communication across two HTTP endpoints.
A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication.
organisation
nginx-ui's
The flaw, tracked as
CVE-2026-33032
,
(CVSS: 9.8) stems from nginx-ui's insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases.
organisation
the Model Context Protocol
The flaw, tracked as
CVE-2026-33032
,
(CVSS: 9.8) stems from nginx-ui's insecure implementation of the Model Context Protocol (MCP) and gives attackers a way to make unauthorized changes to NGINX server configurations with little or no authentication in some cases.
infrastructure
3.4
An Authentication Failure
The maintainers of the open source project have released a fixed version of nginx-ui (v2.3.4) after researchers at Pluto Security
reported the vulnerability
to them in early March.
organisation
v2.3.4
An Authentication Failure
The maintainers of the open source project have released a fixed version of nginx-ui (v2.3.4) after researchers at Pluto Security
reported the vulnerability
to them in early March.
organisation
AI-Led Remediation Crisis Prompts HackerOne
Related:
AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties
They could also write an invalid configuration and trigger a reload that takes NGINX down, along with every application and API behind it.
organisation
Pause Bug Bounties
Related:
AI-Led Remediation Crisis Prompts HackerOne to Pause Bug Bounties
They could also write an invalid configuration and trigger a reload that takes NGINX down, along with every application and API behind it.
infrastructure
2.3.4
The nginx-ui maintainers released a patch in version 2.3.4 just one day after disclosure.
:
Update to version 2.3.4 or later
If patching is not possible, disable MCP functionality entirely
Restrict network access to the management interface
Review server logs and configuration directories for unauthorized changes
This is the second MCP vulnerability Pluto Security has disclosed in recent weeks, following MCPwnfluence, an SSRF-to-RCE chain in the Atlassian MCP server.
"Organizations running nginx-ui should treat this as an emergency: update to version 2.3.4 immediately, or disable MCP functionality and restrict network access as an interim measure.
organisation
Update
:
Update to version 2.3.4 or later
If patching is not possible, disable MCP functionality entirely
Restrict network access to the management interface
Review server logs and configuration directories for unauthorized changes
This is the second MCP vulnerability Pluto Security has disclosed in recent weeks, following MCPwnfluence, an SSRF-to-RCE chain in the Atlassian MCP server.
organisation
MCPwnfluence
:
Update to version 2.3.4 or later
If patching is not possible, disable MCP functionality entirely
Restrict network access to the management interface
Review server logs and configuration directories for unauthorized changes
This is the second MCP vulnerability Pluto Security has disclosed in recent weeks, following MCPwnfluence, an SSRF-to-RCE chain in the Atlassian MCP server.
organisation
Critical Nginx-ui
Critical Nginx-ui MCP Flaw Actively Exploited in the Wild.
organisation
MCP Flaw Actively Exploited
Critical Nginx-ui MCP Flaw Actively Exploited in the Wild.
organisation
VulnCheck
VulnCheck has added the flaw to its Known Exploited Vulnerabilities (KEV) list.
organisation
Known Exploited
VulnCheck has added the flaw to its Known Exploited Vulnerabilities (KEV) list.
organisation
KEV
VulnCheck has added the flaw to its Known Exploited Vulnerabilities (KEV) list.
organisation
Missing Middleware
Missing Middleware, Full Access
The root cause comes down to a single missing function call: nginx-ui recently added support for the Model Context Protocol (MCP), which splits communication across two HTTP endpoints.
organisation
Nginx UI
A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication.
organisation
Model Context Protocol
A critical vulnerability in Nginx UI with Model Context Protocol (MCP) support is now being exploited in the wild for full server takeover without authentication.
organisation
IP
The /mcp endpoint, used for establishing connections, carries both IP whitelisting and authentication middleware.
"While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting -- and the default IP whitelist is empty, which the middleware treats as 'allow all.'"
"This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover.
Similarly, an IP whitelist protection on nginx-ui's /mcp message endpoint defaults to empty, allowing connections from any IP.
organisation
AuthRequired
"While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting -- and the default IP whitelist is empty, which the middleware treats as 'allow all.'"
"This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover.
organisation
Trigger
Connect to the target nginx-ui instance
Send requests without any authentication headers
Gain access to all 12 MCP tools (7 destructive)
Read nginx configuration files and exfiltrate them
Inject a new nginx server block with malicious configuration
Trigger automatic nginx reload
Pluto Security's demo shows that an attacker can use the unauthenticated MCP message endpoint to execute privileged nginx management actions, perform config injection, and ultimately take control of the nginx server, all without authentication.
organisation
Shodan
"We identified over 2,600 publicly exposed nginx-ui instances via Shodan, all reachable on the default port 9000," he says.
Based on Pluto Security's internet scans using the Shodan engine, there are currently
2,600 publicly exposed instances
potentially vulnerable to attacks.
organisation
GitHub
The library is very popular, with more than 11,000 stars on GitHub and 430,000 Docker pulls.
organisation
Docker
The project has garnered more than 11,000 GitHub stars and some 430,000 Docker pulls, both of which are indications of its popularity and visibility within the developer and DevOps community.
organisation
DevOps
The project has garnered more than 11,000 GitHub stars and some 430,000 Docker pulls, both of which are indications of its popularity and visibility within the developer and DevOps community.
organisation
Nginx
Ravie Lakshmanan
Apr 15, 2026
Web Security / Vulnerability
A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild.
Nginx UI is a web-based management interface for the Nginx web server.
Attackers are actively exploiting a critical flaw in the widely used nginx-ui interface for managing NGINX web servers.
organisation
Pluto Security
It has been codenamed
MCPwn
by Pluto Security.
organisation
The Hacker News
"Given the approximately 2,600 publicly reachable nginx-ui instances our researchers identified, the risk to unpatched deployments is immediate and real," Pluto told The Hacker News.
organisation
Based on Pluto Security's
Based on Pluto Security's internet scans using the Shodan engine, there are currently
2,600 publicly exposed instances
potentially vulnerable to attacks.
organisation
LAN
"When chaining both vulnerabilities -- we are able to send requests to the MCP from the LAN
organisation
Critical Nginx UI
Critical Nginx UI auth bypass flaw now actively exploited in the wild.
organisation
NIST
“[...] any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover,” reads NIST's
descripion of the flaw
in the National Vulnerability Database (NVD).
organisation
the National Vulnerability Database
“[...] any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover,” reads NIST's
descripion of the flaw
in the National Vulnerability Database (NVD).
organisation
NVD
“[...] any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads – achieving complete nginx service takeover,” reads NIST's
descripion of the flaw
in the National Vulnerability Database (NVD).
organisation
PoC
However, the vulnerability identifier, along with technical details and a proof-of-concept (PoC) exploit, emerged at the end of the month.
infrastructure
3.3
"
For those who might have updated to v2.3.3 — the version that patched the previous CVE-2026-27944 flaw — an attack would likely require the threat actor to have some kind of prior access to the local network, he adds.
infrastructure
2.3.3
"For any of those running a version before 2.3.3, the full chain (unauthenticated backup download + MCP takeover) required zero credentials and zero network proximity.
organisation
Critical MCP Integration
Critical MCP Integration Flaw Puts NGINX at Risk.
organisation
Adobe Patches Actively
Adobe Patches Actively Exploited Zero-Day That Lingered for Months
Pluto Security's researchers found that the nginx-ui's MCP message endpoint, or the URL (/mcp_message), which handled command execution requests, performed no authentication at all.
organisation
UUID
But even that protection was weakly implemented because the secret itself was a static Universally Unique Identifier (UUID) generated at first boot and stored in plaintext as a shared secret rather than as a per-user credential, says Yotam Perkal, director of security research at Pluto.
organisation
RBAC
"The core application might have years of battle-tested authentication — JWTs, session management, RBAC — but MCP endpoints are new, and it's easy to miss one," he says.
organisation
Omdia
"
Don't miss the latest Dark Reading Confidential podcast,
Security Bosses Are All in on AI: Here's Why,
where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products.
organisation
SOC
"
Don't miss the latest Dark Reading Confidential podcast,
Security Bosses Are All in on AI: Here's Why,
where Reddit CISO Frederick Lee and Omdia analyst Dave Gruber discuss AI and machine learning in the SOC, how successful deployments have (or haven't) been, and what the future holds for AI security products.
Tactical Metrics
Metrics
infrastructure
2.3.4
Software Version
Click for context!
The nginx-ui maintainers released a patch in version 2.3.4 just one day after disclosure.
:
Update to version 2.3.4 or later
If patching is not possible, disable MCP functionality entirely
Restrict network access to the management interface
Review server logs and configuration directories for unauthorized changes
This is the second MCP vulnerability Pluto Security has disclosed in recent weeks, following MCPwnfluence, an SSRF-to-RCE chain in the Atlassian MCP server.
Following responsible disclosure, the vulnerability was addressed in
version 2.3.4
, released on March 15, 2026.
"Organizations running nginx-ui should treat this as an emergency: update to version 2.3.4 immediately, or disable MCP functionality and restrict network access as an interim measure.
NGNIX released a fix for the flaw in version 2.3.4 on March 15, a day after researchers at the AI workflow security company Pluto Security AI reported it.
Metrics
infrastructure
2.3.6
Software Version
The latest secure version of nginx-ui is
2.3.6, released last week
.
Metrics
infrastructure
3.4
Software Version
An Authentication Failure
The maintainers of the open source project have released a fixed version of nginx-ui (v2.3.4) after researchers at Pluto Security
reported the vulnerability
to them in early March.
Metrics
infrastructure
2.3.3
Software Version
"For any of those running a version before 2.3.3, the full chain (unauthenticated backup download + MCP takeover) required zero credentials and zero network proximity.
Metrics
infrastructure
3.3
Software Version
"
For those who might have updated to v2.3.3 — the version that patched the previous CVE-2026-27944 flaw — an attack would likely require the threat actor to have some kind of prior access to the local network, he adds.
Intelligence Sources
Infosecurity-Magazine
2026-04-15
Critical Nginx-ui MCP Flaw Actively Exploited in the Wild
Infosecurity-Magazine
The Hacker News
2026-04-15
BleepingComputer
2026-04-15
Dark Reading
2026-04-15
Critical MCP Integration Flaw Puts NGINX at Risk
Dark Reading
Infosecurity-Magazine
2026-04-15
Critical Nginx-ui MCP Flaw Actively Exploited in the Wild
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-15T10:17
Comprehensive Tactical Telemetry
Highly Correlated Entities
51x
organisation
Identified Entity
CVE-2026-33032
entity
9x
timeline
Temporal Reference
March 2026
date
5x
infrastructure
Software Version
2.3.4
version
5x
target region
Target Country
China
country
4x
vulnerability
Exploited CVE
CVE-2026-33032
cve
3x
vulnerability
CVSS Score
10
score
2x
tactic
Cyber Operation Type
Reconnaissance
tactic
2x
tactic
MITRE ATT&CK Technique
T1588.006 - Vulnerabilities
technique
2x
general metric
Mcp Tools
12
mcp tools
Contextual Telemetry
Context Block
11 METRICS
general metric
Impact Vulnerabilities
31
impact vulnerabilities
general metric
Default Port
9,000
default port
general metric
Times
430,000
times
general metric
Characters
27
characters
general metric
Exposed Instances
2,689
exposed instances
general metric
Score
10
score
general metric
Apr
15
apr
general metric
Entities
2,600
entities
general metric
Cve-2026
33,032
cve-2026
attribution
Attributing Entity
Recorded Future
authority
general metric
Stars
11,000
stars
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.