Technical description
A critical authentication bypass in nginx-ui's Model Context Protocol (MCP) integration allows remote attackers to invoke any of 12 privileged MCP tools — including config writes with automatic nginx reload — without authentication. The flaw arises because the /mcp_message endpoint applies only IP whitelisting (default: allow all) while omitting authentication checks. Attackers can achieve full nginx server takeover in two unauthenticated HTTP requests. Named 'MCPwn' by Pluto Security, active exploitation was confirmed on March 30 by VulnCheck and Recorded Future's Insikt Group; 2,689 vulnerable instances remain publicly accessible.
Attack vector
Step 1: Send HTTP GET to /mcp endpoint to establish a session and obtain session ID (no auth required with default whitelist settings). Step 2: Send HTTP POST to /mcp_message with the session ID to invoke any MCP tool — including writing nginx configs that trigger automatic service reload. Full server control achieved in two requests with zero credentials.
Affected systems
nginx-ui versions prior to 2.3.4. Any nginx-ui deployment using the MCP integration feature, particularly those exposed to untrusted networks.
Mitigation
Upgrade to nginx-ui version 2.3.4 immediately (patch released March 15, 2026). Audit nginx-ui access logs for suspicious /mcp_message POST requests. Apply network-level controls to restrict nginx-ui admin interfaces to trusted IP ranges. Review nginx configuration files for unexpected modifications.