A critical flaw in nginx-ui, CVE-2026-33032, has moved from disclosure to active exploitation in the wild, with a CVSS of 9.8 and the MCPwn codename assigned by Pluto Security. The issue is an authentication bypass in the open‑source, web‑based Nginx management tool, enabling threat actors to seize full control of the Nginx service.
An advisory from nginx-ui maintainers describes two HTTP endpoints, /mcp and /mcp_message, where /mcp requires authentication and IP whitelisting, but /mcp_message applies only IP whitelisting, with the default whitelist being empty and effectively allowing all. According to Pluto Security, researcher Yotam Perkal, the attack can achieve a full takeover in seconds via two requests: a GET to /mcp to start a session, then a POST to /mcp_message with the session ID to run MCP tools without authentication.
Data from Shodan shows about 2,689 exposed nginx-ui instances worldwide, prompting urgent guidance to update to version 2.3.4, released on 15 March 2026, or disable MCP and tighten network access as a temporary measure.