Executive Summary

The vulnerability affects the nginx-ui web user interface, specifically its MCP (Model Context Protocol) integration which exposes two HTTP endpoints: /mcp and /mcp_message.

While the /mcp endpoint requires both IP whitelisting and authentication, the /mcp_message endpoint only enforces IP whitelisting. However, the default IP whitelist is empty, which the middleware treats as allowing all IP addresses, effectively disabling access control on /mcp_message.

This means any network attacker can invoke all MCP tools without authentication by sending requests to /mcp_message. These tools allow restarting nginx, creating/modifying/deleting nginx configuration files, and triggering automatic config reloads, leading to complete nginx service takeover.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthenticated remote attackers to fully control the nginx service by invoking MCP tools without authentication.

• Complete nginx takeover by creating, modifying, deleting configuration files and reloading or restarting nginx.
• Traffic interception through malicious reverse proxy configurations, capturing sensitive data such as credentials and session tokens.
• Service disruption by injecting invalid configurations that can take nginx offline.
• Exfiltration of all nginx configuration files, revealing backend infrastructure details.
• Credential harvesting by injecting custom access_log directives to capture Authorization headers from administrators.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the nginx-ui service exposes the /mcp_message HTTP endpoint on port 9000 without requiring authentication and with an empty or permissive IP whitelist.

You can attempt to send an unauthenticated HTTP POST request to the /mcp_message endpoint to see if it accepts commands without authentication.

Example command using curl to test access to the vulnerable endpoint:

• curl -X POST http://<nginx-ui-host>:9000/mcp_message -d '{"tool":"nginx_config_list"}'

If the request succeeds without authentication and returns nginx configuration data or a response indicating the MCP tool was invoked, the system is vulnerable.

Additionally, you can scan your network for hosts with port 9000 open and probe the /mcp_message endpoint to detect exposure.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include:

• Restrict network access to the nginx-ui service on port 9000 to trusted IP addresses only, effectively limiting exposure.
• Implement firewall rules or network segmentation to block unauthorized access to the /mcp_message endpoint.
• If possible, disable or stop the nginx-ui service until a patch or fix is available.
• Monitor logs and network traffic for suspicious POST requests to /mcp_message.

Long-term remediation involves adding authentication middleware to the /mcp_message endpoint and changing the default IP whitelist to deny all when unconfigured, but these require code changes and patches.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to take complete control over the nginx service, including reading and modifying configuration files and intercepting traffic.

This can lead to exposure of sensitive data such as credentials and session tokens, which may violate data protection requirements under standards like GDPR and HIPAA.

By enabling attackers to capture Authorization headers and exfiltrate configuration details, the vulnerability undermines confidentiality, integrity, and availability controls required by these regulations.

Therefore, organizations using affected versions of nginx-ui may face compliance risks due to potential unauthorized access and data breaches stemming from this vulnerability.

Useful 0 Not Useful 0