Nginx UI Unauthenticated MCP Endpoint Vulnerability Leading to Remote Nginx Takeover

A vulnerability in Nginx UI versions through 2.3.5 allows unauthenticated access to the Model Context Protocol (MCP) integration via the '/mcp_message' endpoint. This endpoint, which lacks proper authentication and IP whitelisting, can be exploited by network attackers to invoke MCP tools that manipulate Nginx configuration and control the Nginx service. The vulnerability arises from an authentication oversight, where the '/mcp' endpoint requires authentication but '/mcp_message' does not, combined with an empty default IP whitelist that allows all requests.

Impact

Exploitation of this vulnerability could lead to a complete takeover of the Nginx service. An attacker could modify, create, or delete Nginx configuration files, trigger immediate reloads or restarts of the Nginx process, and intercept or disrupt traffic by proxying it through an attacker-controlled endpoint. Additionally, the vulnerability allows for exfiltration of Nginx configuration details and harvesting of credentials from Nginx UI administrators.

Reproduction

To reproduce this vulnerability, send a POST request to the '/mcp_message' endpoint on a Nginx UI server. The request can include a payload that invokes the 'nginx_config_modify' MCP tool to alter the main Nginx configuration file. Once the configuration is changed, Nginx can be reloaded either automatically or by calling the 'reload_nginx' tool directly.

Remediation

To address this vulnerability, add authentication requirements to the '/mcp_message' route and consider changing the default IP whitelist behavior to deny all requests when unconfigured.