Critical nginx-ui Flaw Lets Attackers Hijack Web Servers Without a Password

A critical authentication bypass vulnerability in nginx-ui — a popular web-based management panel for nginx servers — is being actively exploited in the wild. Tracked as CVE-2026-33032 with a CVSS score of 9.8 out of 10, the flaw lets attackers take complete control of an affected web server without needing any credentials at all. Security researchers at Pluto Security have dubbed it “MCPwn,” and it’s as bad as it sounds. Details were published by Picus Security.

The issue affects nginx-ui versions 2.3.3 and earlier. The root cause is a missing authentication check on a key API endpoint — one that handles destructive operations like rewriting server configurations. An attacker can exploit it in as few as two HTTP requests, gaining the ability to modify your nginx configuration, redirect traffic, or inject malicious content. Shodan scans show roughly 2,700 publicly exposed instances worldwide, and that’s before counting internal deployments.

If your business runs a website or web application on nginx and uses nginx-ui to manage it, update to version 2.3.4 or later immediately. If you can’t patch straight away, disable the MCP integration feature or lock down network access to the management interface. It’s also worth rotating any credentials and SSL certificates that may have been exposed.

Not sure what’s running behind your website? That’s common — many businesses don’t have visibility into their hosting stack. Get in touch with All IT Services and we can review your web infrastructure and make sure nothing’s exposed that shouldn’t be.