MCPwn

The core of the vulnerability is due to a logical error in route registration: the /mcp endpoint is protected by the AuthRequired() middleware, but its paired /mcp_message endpoint, which is used to receive instructions for the actual tool call, is deployed without that authentication middleware. This allows any attacker with network access to this UI to take over the Nginx service without any credentials.