"The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication, the /mcp_message endpoint only applies IP whitelisting, which the middleware treats as 'allow all.'"
"This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover."
"Attackers can exploit this vulnerability by sending specially crafted HTTP requests directly to the '/mcp_message' endpoint without any authentication headers or tokens."
"Successful exploitation of the flaw could enable them to invoke MCP tools and modify Nginx configuration files and reload the server. Furthermore, an attacker could exploit this loophole to intercept all traffic and harvest administrator credentials."
The CVE-2026-33032 vulnerability in nginx-ui, with a CVSS score of 9.8, enables authentication bypass, allowing attackers to control the Nginx service. The /mcp_message endpoint lacks authentication, permitting any network attacker to invoke MCP tools. This includes restarting Nginx and modifying configuration files. The flaw can be exploited in seconds through two HTTP requests. Successful exploitation can lead to traffic interception and credential harvesting. The vulnerability was patched in version 2.3.4, released on March 15.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]