Description
Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
Published: 2026-03-30
Score: 9.8 Critical
EPSS: 7.5% Low
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

The vulnerability is present in Nginx UI version 2.3.5 and earlier. The MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While the /mcp endpoint is protected, the /mcp_message endpoint only applies IP whitelisting, and by default that whitelist is empty, effectively allowing all IP addresses. As a result, any network attacker who can reach the application can invoke all MCP tools, including commands to restart Nginx, create or modify nginx configuration files, and trigger automatic configuration reloads. This gives the attacker complete takeover of the Nginx service. The weakness is characterized as CWE‑306 (Missing Authentication). The impact is a critical remote code execution that compromises confidentiality, integrity, and availability of the web server.

Affected Systems

Affected deployments are those using the Nginx UI web interface released by 0xJacky. Versions 2.3.5 and earlier are impacted. The vulnerability manifests when the default empty IP whitelist remains in force, so any environment that exposes the Nginx UI to external networks may be exposed.

Risk and Exploitability

The CVSS base score is 9.8, indicating a critical severity. The EPSS score of 5% indicates a relatively low but non‑zero potential for exploitation; nevertheless, the absence of authentication means that an attacker only needs network reachability to the /mcp_message endpoint. The vulnerability is not yet listed in the CISA KEV catalog, but the ability to take over the Nginx service warrants immediate consideration. Attacks are possible from any remote host that can contact the web interface; no additional authentication or privilege escalation is required beyond connectivity.

Generated by OpenCVE AI on April 18, 2026 at 09:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify that Nginx UI 2.3.5 or earlier is in use.
  • Configure the IP whitelist for the /mcp_message endpoint to include only trusted IPs or local addresses.
  • If the MCP functionality is not required, disable or remove the /mcp_message endpoint from the configuration.
  • Apply any vendor patch or update to a later, non‑vulnerable version once it becomes available.
  • Monitor Nginx UI logs for attempts to access /mcp_message.

Generated by OpenCVE AI on April 18, 2026 at 09:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-h6c2-x2m2-mwhf nginx-ui's Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
History

Thu, 16 Apr 2026 22:30:00 +0000

Type Values Removed Values Added
References

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Mon, 30 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 30 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as "allow all". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches.
Title Nginx UI: Unauthenticated MCP Endpoint Allows Remote Nginx Takeover
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T21:42:59.787Z

Reserved: 2026-03-17T17:22:14.670Z

Link: CVE-2026-33032

cve-icon Vulnrichment

Updated: 2026-04-16T21:42:59.787Z

cve-icon NVD

Status : Modified

Published: 2026-03-30T18:16:19.410

Modified: 2026-04-16T22:16:37.433

Link: CVE-2026-33032

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T09:45:25Z

Weaknesses