CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Authentication bypass in nginx-ui via MCP-enabled API leading to remote server compromise

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

A critical authentication bypass vulnerability in nginx-ui (CVE-2026-33032, CVSS 9.8) allows unauthenticated, network-adjacent attackers to gain full control of nginx servers via the MCP-enabled /mcp_message endpoint. The flaw, disclosed by Pluto Security in March 2026 and patched in version 2.3.4, stems from missing authentication middleware on an endpoint processing privileged operations such as configuration writes and server reloads. Public exposure includes over 2,600 internet-accessible instances and over 430,000 Docker image pulls, with exploitation confirmed in the wild. The issue reflects a broader pattern of AI integration endpoints (MCP) introducing security gaps, as Pluto Security also disclosed a second critical MCP-related flaw in 2026. Technical details and proof-of-concept exploits are publicly available, heightening the risk of abuse.

Timeline

  1. 15.04.2026 16:00 2 articles · 6h ago

    Critical nginx-ui MCP authentication bypass actively exploited in the wild

    Pluto Security researchers discovered CVE-2026-33032 and responsibly disclosed it to nginx-ui developers in March 2026. Technical details and proof-of-concept exploit code for the vulnerability have been publicly available, significantly increasing the risk of exploitation. The issue reflects a broader pattern noted by researchers where AI integration endpoints (MCP) expose privileged capabilities while bypassing core application security controls. Additional nginx-ui vulnerabilities disclosed in recent months include CVE-2026-27944 (unauthenticated backup data downloads) and CVE-2026-33030 (authenticated attackers accessing and modifying other users' resources).

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Langflow unauthenticated RCE vulnerability (CVE-2026-33017) exploited within 20 hours of disclosure

CISA formally confirmed active exploitation of the Langflow unauthenticated RCE vulnerability (CVE-2026-33017) on March 26, 2026, adding it to the Known Exploited Vulnerabilities (KEV) catalog and mandating U.S. federal agencies to apply mitigations or stop using the product by April 8, 2026. Threat actors exploited the flaw within 20–24 hours of its March 17, 2026 disclosure, progressing from automated scanning to staged Python payload delivery and credential harvesting (including .env and .db files) despite the absence of public PoC code. The vulnerability, with a CVSS score of 9.3, affects all Langflow versions prior to and including 1.8.1 and stems from an unsandboxed exec() call in the /api/v1/build_public_tmp/{flow_id}/flow endpoint. CISA did not attribute exploitation to ransomware actors but emphasized the risk to AI workflows given Langflow’s widespread adoption, including 145,000 GitHub stars. Endor Labs reported that attackers likely reverse-engineered exploits from the advisory details, underscoring the accelerating weaponization timeline. Mitigation guidance includes upgrading to version 1.9.0+ or disabling the vulnerable endpoint, restricting internet exposure, monitoring outbound traffic, and rotating all associated credentials.

Open in new tab

Three Flaws in Anthropic MCP Git Server Enable File Access and Code Execution

Three vulnerabilities in the mcp-server-git, maintained by Anthropic, allow file access, deletion, and code execution via prompt injection. The flaws have been addressed in versions 2025.9.25 and 2025.12.18. The vulnerabilities include path traversal and argument injection issues that can be exploited to manipulate Git repositories and execute arbitrary code. The issues were disclosed by Cyata researcher Yarden Porat, highlighting the risks of prompt injection attacks without direct system access. The vulnerabilities affect all versions of mcp-server-git released before December 8, 2025, and apply to default installations. An attacker only needs to influence what an AI assistant reads to trigger the vulnerabilities. The flaws allow attackers to execute code, delete arbitrary files, and load arbitrary files into a large language model's context. While the vulnerabilities do not directly exfiltrate data, sensitive files may still be exposed to the AI, creating downstream security and privacy risks. The vulnerabilities have been assigned CVE-2025-68143, CVE-2025-68144, and CVE-2025-68145.

Open in new tab

Active Exploitation of Critical Adobe AEM Forms Misconfiguration

A critical misconfiguration flaw in Adobe Experience Manager (AEM) Forms on JEE versions 6.5.23.0 and earlier is under active exploitation. The flaw, CVE-2025-54253, allows arbitrary code execution via an exposed servlet. Adobe released a patch in August 2025. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies must apply the necessary fixes by November 5, 2025. The flaw was discovered by Adam Kues and Shubham Shah of Searchlight Cyber, who disclosed it to Adobe on April 28, 2025. The flaw is caused by an exposed /adminui/debug servlet that evaluates user-supplied OGNL expressions as Java code without authentication or input validation. This enables attackers to execute arbitrary system commands with a single crafted HTTP request. A proof-of-concept exploit is publicly available.

Open in new tab