Description
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: 12.7% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is present in Nginx UI version 2.3.5 and earlier. The MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While the /mcp endpoint is protected by authentication, the /mcp_message endpoint only applies IP whitelisting, and by default that whitelist is empty, effectively allowing all IP addresses. This allows any network attacker who can reach the application to invoke all MCP tools, including commands to restart Nginx, create or modify nginx configuration files, and trigger automatic configuration reloads, resulting in a complete takeover of the Nginx service. The weakness is characterized as CWE‑306 (Missing Authentication) and leads to a critical remote code execution that compromises confidentiality, integrity, and availability of the web server.

Affected Systems

Affected deployments are those using the Nginx UI web interface released by 0xJacky. Versions 2.3.5 and earlier are impacted. The vulnerability manifests when the default empty IP whitelist remains in force, so any environment that exposes the Nginx UI to external networks may be exposed.

Risk and Exploitability

The CVSS base score is 9.8, indicating a critical severity. The EPSS score of 13% indicates a relatively low but non‑zero potential for exploitation; nevertheless, the absence of authentication means that an attacker only needs network reachability to the /mcp_message endpoint. The vulnerability is not yet listed in the CISA KEV catalog, but the ability to take over the Nginx service warrants immediate consideration. Attacks are possible from any remote host that can contact the web interface; no additional authentication or privilege escalation is required beyond connectivity.

Generated by OpenCVE AI on May 28, 2026 at 15:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Configure the IP whitelist for the /mcp_message endpoint to include only trusted IPs or local addresses.
  • If the MCP functionality is not required, disable or remove the /mcp_message endpoint from the configuration.
  • Monitor Nginx UI logs for attempts to access /mcp_message.
  • Apply any vendor patch or update to a later, non‑vulnerable version once it becomes available.

Generated by OpenCVE AI on May 28, 2026 at 15:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h6c2-x2m2-mwhf nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
History

Thu, 16 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
Title Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T21:42:59.787Z

Reserved: 2026-03-17T17:22:14.670Z

Link: CVE-2026-33032

cve-icon Vulnrichment

Updated: 2026-04-16T21:42:59.787Z

cve-icon NVD

Status : Modified

Published: 2026-03-30T18:16:19.410

Modified: 2026-04-16T22:16:37.433

Link: CVE-2026-33032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T15:15:19Z

Weaknesses