Description
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: Remote Nginx service takeover
Action: Immediate Patch
AI Analysis

Impact

Nginx UI versions up to 2.3.5 expose an unmapped /mcp_message endpoint that bypasses authentication and accepts arbitrary Model Context Protocol commands. By exploiting this unauthenticated endpoint an attacker can perform privileged operations such as creating, deleting, or modifying nginx configuration files, restarting the server, and triggering automatic reloads. This constitutes a full takeover of the nginx service, allowing an attacker to alter the server configuration, halt service availability, or execute code within the nginx process.

Affected Systems

The vulnerability affects the Nginx UI application provided by 0xJacky. All releases 2.3.5 and earlier are vulnerable; newer versions – currently unavailable – are presumed to contain the fix.

Risk and Exploitability

The CVSS score of 9.8 rates this flaw as critical, and the lack of an available patch increases the risk that an attacker can easily exploit the unauthenticated endpoint from any network location. Although EPSS is not reported and the vulnerability is not listed in KEV, the straightforward network-accessible attack path and full service takeover potential suggest a high likelihood of real-world exploitation.

Generated by OpenCVE AI on March 30, 2026 at 19:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nginx UI to version 2.3.6 or later when a patch is released.
  • If upgrade is not immediately possible, restrict access to the /mcp_message endpoint by configuring the IP whitelist to allow only trusted internal IPs and/or applying firewall rules to block external traffic to that endpoint.
  • Consider disabling the MCP integration in Nginx UI or removing the component until a fix is available.
  • Monitor Nginx UI logs for unexpected /mcp_message requests and ensure configuration files are not being altered.

Generated by OpenCVE AI on March 30, 2026 at 19:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h6c2-x2m2-mwhf nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
History

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
Title Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-30T18:37:50.239Z

Reserved: 2026-03-17T17:22:14.670Z

Link: CVE-2026-33032

cve-icon Vulnrichment

Updated: 2026-03-30T18:37:38.683Z

cve-icon NVD

Status : Received

Published: 2026-03-30T18:16:19.410

Modified: 2026-03-30T19:16:25.683

Link: CVE-2026-33032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:55:22Z

Weaknesses