Nginx UI, a third-party web management interface for Nginx, contains a critical unauthenticated authentication bypass on its MCP endpoint actively exploited in the wild with a public proof-of-concept. Any internet-exposed instance running a version prior to 2.3.6 is at immediate risk of full web server takeover without attacker credentials. Approximately 2,600 internet-facing instances remain unpatched as of April 15, 2026.