MCPwn: nginx-ui MCP Auth Bypass (CVE-2026-33032)
Two HTTP requests, full nginx server takeover. nginx-ui shipped its MCP server with AuthRequired() middleware on /mcp but not on its sibling /mcp_message. Anyone on the network could grab a session ID from the protected endpoint, replay it against the unprotected one, and invoke any of twelve destructive tools. One of them, nginx_config_add, accepts arbitrary configuration with auto-reload. Roughly 2,600 instances were exposed on the default port at disclosure; Recorded Future listed it among 31 vulnerabilities under active exploitation in March 2026.
What happened
nginx-ui ships an MCP server so AI agents can manage NGINX configuration. The transport exposes two endpoints: /mcp for session establishment, /mcp_message for tool invocation.
Both should sit behind AuthRequired(). Only one did.
The exploit is the kind of thing you write down to remember how simple it was. GET /mcp to get a session ID. POST /mcp_message with that ID. Call any of twelve tools, no credentials at any step. Among them was nginx_config_add, which accepts arbitrary configuration with auto-reload. Full server takeover from an unauthenticated request.
The fix in 2.3.4 is one line: apply the middleware to the second endpoint.
The PolicyLayer angle
This is the canonical case for a policy layer that doesn't trust the MCP server it's talking to. nginx-ui's mistake was a missing middleware call, the kind of bug that compiles, passes review, and ships as a CVSS 9.8. It will keep happening as MCP server authors move faster than they audit.
The pattern that breaks the attack regardless of server bugs: agent-side allowlists on tool names, manual approval for anything that mutates configuration, rate limits on destructive actions. nginx_config_add would have been blocked outright on autonomous runs and surfaced for review interactively, independent of whether the server's auth was broken.
The relevant guarantee: the policy layer treats every tool as untrusted. That's stronger than "every server author remembers every middleware call."
Mitigations
Upgrade nginx-ui to 2.3.4 or later. If you cannot upgrade immediately, block public access to port 9000 and restrict the MCP endpoints to authenticated networks only.
FAQs
Not on patched systems. nginx-ui 2.3.4 added the missing middleware call. Unpatched instances exposed to the network are still fully exploitable; Shodan showed roughly 2,600 at disclosure.
No, this was an implementation bug in one server, not a flaw in the protocol. But it illustrates a class of failure (server authors forgetting to gate every endpoint) that the spec doesn't prevent and probably can't.