{"data":{"id":"974eeaeb-1400-44ad-864e-7c08cb24fd8b","title":"Critical nginx UI tool vulnerability opens web servers to full compromise","summary":"A critical vulnerability in nginx UI, a dashboard tool for managing nginx web servers, allows attackers to bypass security by accessing an unprotected endpoint called /mcp_message. This endpoint was added to support MCP (Model Context Protocol, a system that lets web servers communicate with AI models), but it lacks authentication, letting anyone on the network inject malicious configurations and completely take over the server.","solution":"Update to version 2.3.4, released March 15. For systems that cannot patch immediately, disable MCP or restrict access by using IP whitelisting to allow only trusted hosts, and review access logs for suspicious configuration changes.","labels":["security"],"sourceUrl":"https://www.csoonline.com/article/4159248/critical-nginx-ui-tool-vulnerability-opens-web-servers-to-full-compromise.html","publishedAt":"2026-04-15T20:52:20.000Z","cveId":null,"cweIds":null,"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"news","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["nginx UI","MCP (Model Context Protocol)"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":null,"epssScore":null,"patchAvailable":null,"disclosureDate":"2026-04-15T20:52:20.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"api","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}