Mopidy Security + Access

I have Mopidy + Iris + Icecast running on a VPS. Nginx is set-up with HTTP authentication, the firewall is set to block all incoming connections except port 80/Nginx & Icecast/port 8000, and I am in the process of setting up HTTPS certificates with appropriate firewall rules.

But if I stopped using Nginx and just left Mopidy/port 6680 open along with Icecast (as it was originally) & unencrypted, how much of a security risk is this? Is there any known security issue with having an open Mopidy server without HTTP authentication or SSL?