Overview
- Security researchers and threat intel groups reported Wednesday that attackers are exploiting CVE-2026-33032 in the wild.
- The Model Context Protocol add-on left the /mcp_message API without the AuthRequired check and treated an empty IP allowlist as allow-all.
- Pluto Security demonstrated a two-step attack that gets a session ID from /mcp and then uses /mcp_message to rewrite configs and reload Nginx.
- Shodan scans found about 2,600 internet-facing nginx-ui instances, and more than 430,000 Docker pulls point to many additional internal deployments.
- Maintainers fixed the flaw in version 2.3.4 and urge updating or disabling MCP with access restrictions, and the latest secure release is 2.3.6 as Recorded Future and VulnCheck flag active exploitation.