Critical nginx UI tool vulnerability opens web servers to full compromise
Summary
A critical vulnerability in nginx UI, a dashboard tool for managing nginx web servers, allows attackers to bypass security by accessing an unprotected endpoint called /mcp_message. This endpoint was added to support MCP (Model Context Protocol, a system that lets web servers communicate with AI models), but it lacks authentication, letting anyone on the network inject malicious configurations and completely take over the server.
Solution / Mitigation
Update to version 2.3.4, released March 15. For systems that cannot patch immediately, disable MCP or restrict access by using IP whitelisting to allow only trusted hosts, and review access logs for suspicious configuration changes.
Classification
Affected Vendors
Related Issues
Original source: https://www.csoonline.com/article/4159248/critical-nginx-ui-tool-vulnerability-opens-web-servers-to-full-compromise.html
First tracked: April 15, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 85%