Impact: No direct impact identified to Autodesk products or services.
Original Publish: 04/20/2026
| Severity | CVSS Score | Impact |
|---|---|---|
| Low | 0.1 - 3.9 | A vulnerability where scope and impact of exploitation is restricted and the ability to exploit is extremely difficult. |
| Medium | 4.0 - 6.9 | A vulnerability where exploitation is mitigated by factors such as difficulty to exploit, default configuration or ease of identification. |
| High | 7.0 - 8.9 | A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user's data or processing resources. |
| Critical | 9.0 - 10 | A vulnerability, which if exploited, would allow remote execution of malicious code without user action. |
Autodesk is aware of a publicly disclosed critical vulnerability affecting Model Context Protocol (MCP) in nginx-ui, a web-based administrative interface for Nginx. Autodesk has not identified any direct impact to our products or services.
In March 2026, researchers reported a critical issue in the nginx-ui MCP integration. The vulnerability is caused by insufficient authentication on the MCP message endpoint (/mcp_message), which can allow an unauthenticated remote attacker to invoke MCP tools. This may lead to unauthorized access to sensitive data, modification of Nginx configuration files, and restart or disruption of Nginx services.
Autodesk continuously monitors its software supply chain and applies rigorous security controls to mitigate risks associated with third-party dependencies.
Based on the internal investigation to date, Autodesk has not identified exposure to this vulnerability within its products or services. Autodesk will continue to monitor the situation and provide updates as necessary.
INFORMATION IN THIS DOCUMENT IS PROVIDED “AS IS” IN CONNECTION WITH AUTODESK PRODUCTS. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS AND ITS AND THEIR DIRECTORS, OFFICERS, EMPLOYEES, AGENTS AND REPRESENTATIVES MAKE NO REPRESENTATIONS ABOUT THE SITE, ANY PRODUCTS AND SERVICES CONTAINED ON THE SITE OR THE SUITABILITY OF THE INFORMATION CONTAINED IN THE MATERIALS, INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS PUBLISHED ON THIS SITE FOR ANY PURPOSE. THE SITE, ANY PRODUCTS OR SERVICES (INCLUDING WITHOUT LIMITATION, THIRD PARTY PRODUCTS AND SERVICES) OBTAINED THROUGH THE SITE, AND ALL SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS ARE PROVIDED FOR YOUR USE AT YOUR OWN RISK AND “AS IS” WITHOUT WARRANTY OF ANY KIND. AUTODESK AND/OR ITS RESPECTIVE SUBSIDIARIES, AFFILIATES, SUPPLIERS AND LICENSORS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS SITE, SUCH PRODUCTS AND SERVICES AND SUCH INFORMATION, CONTENT, DOCUMENTS, AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT.
