A recently disclosed critical security flaw impacting nginx-ui, an open-source, web-based Nginx management tool, has come under active exploitation in the wild.
The vulnerability in question is CVE-2026–33032 (CVSS score: 9.8), an authentication bypass vulnerability that enables threat actors to seize control of the Nginx service. It has been codenamed MCPwn by Pluto Security.
“The nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message,” according to an advisory released by nginx-ui maintainers last month. “While /mcp requires both IP whitelisting and authentication (AuthRequired middleware), the /mcp_message endpoint only applies IP whitelisting — and the default IP whitelist is empty, which the middleware treats as ‘allow all.’”

I really enjoy the way this post presents the topic in such a balanced and clear manner, because it keeps the discussion interesting without feeling overwhelming, while also making it easy for different readers to understand and connect with the overall message.
nuevo casino online espana