1. Vulnerability DescriptionNginx UI is a widely used open-source graphical management tool for Nginx. A critical authentication bypass vulnerability, codenamed MCPwn and identified as CVE-2026-33032, exists in its integrated MCP (Model Context Protocol) interface due to an oversight in code implementation.
The root cause of this vulnerability lies in a logical error during route registration: while the
endpoint is protected by the
middleware, its paired
endpoint, which is responsible for receiving actual tool invocation commands, was deployed without this authentication middleware. This allows any attacker capable of accessing the UI over the network to take control of the Nginx service without requiring any credentials.
2. Impact of the Vulnerability
The root cause of this vulnerability lies in a logical error during route registration: while the
CODE
/mcpCODE
AuthRequired()CODE
/mcp_message2. Impact of the Vulnerability
- CVE ID: CVE-2026-33032
- Alias: MCPwn
- CVSS 3.1 Score: 9.8 (Critical) (Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
- Vulnerability Type: Authentication Bypass (CWE-306)
- Affected Versions: nginx-ui < 2.3.4
- Fixed Versions: nginx-ui ≥ 2.3.4
- Technical Impact:
- Arbitrary Configuration Modification: Attackers can rewrite server blocks via the
tool, inserting attacker-controlled upstream servers.CODEedit_config
- Service Takeover: Malicious configurations can be immediately applied via
, or a Denial of Service (DoS) can be caused byCODEreload_nginx
.CODEstop_nginx
- Sensitive Information Disclosure: Attackers can use the
tool to exfiltrate sensitive files such as TLS private keys and system credentials.CODEread_file
- Persistent Control: Attackers can leverage
to re-issue controlled certificates or combine with other vulnerabilities to maintain long-term persistence.CODEcreate_cert
- Arbitrary Configuration Modification: Attackers can rewrite server blocks via the
- Immediate Upgrade: Upgrade nginx-ui to version 2.3.4 or higher. The official patch has added the
call during route registration.CODEAuthRequired()
CODE// Fixed code snippet
r.POST("/mcp_message", AuthRequired(), mcpMessageHandler)
- Port Isolation: Do not expose the nginx-ui management port (default 9000) directly to the public internet. Instead, use a VPN, bastion host, or firewall (with a whitelist policy) for access control.
- Disable Feature: If AI-assisted management is not required, the MCP module can be completely disabled in the configuration file.
- Key Rotation: After upgrading, it is crucial to rotate the
, SSL private keys, and all other sensitive credentials stored within the panel.CODEnode_secret
- Automated Detection: Non-destructive detection can be performed using the Python script or Nmap NSE plugin provided by
.CODEkeraattin/CVE-2026-33032
- AGI Security: 9.8 High-Risk Vulnerability Being Exploited, Nginx Servers Face Major Threat!
- GitHub: keraattin/CVE-2026-33032 - MCPwn Detection Tooling
- Picus Security: MCPwn - How a Missing Middleware Call Hands Attackers Full Takeover
- GitHub Advisory: GHSA-g9w5-qffc-6762 (CVE-2026-27944)
- NVD: CVE-2026-33032 Detail
