CVE-2026-27944

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.3

Description Nginx UI is a web user interface for the Nginx web server. A critical flaw exists where the '/api/backup' endpoint is accessible without authentication. When this endpoint is accessed, the server provides a full system backup and discloses the AES-256 encryption keys (key and IV) required to decrypt the backup within the 'X-Backup-Security' response header. This allows an unauthenticated remote attacker to download and immediately decrypt sensitive data, including user credentials, session tokens, SSL private keys, and Nginx configurations. The issue is caused by the CreateBackup() function in api/backup/router.go being registered without authentication middleware. Approximately 500 active instances were identified in the RuNet segment, with 35% potentially affected.

Recommendations Update Nginx UI to version 2.3.3 or higher. Restrict network access to the Nginx UI management interface so it is not accessible from the internet, utilizing a VPN or an allowlist of IP addresses. Rotate all secrets, including Nginx UI user passwords, SSL certificates, and session tokens. Implement additional authentication, such as HTTP Basic Authentication, at the reverse-proxy level. Monitor logs for unauthorized requests to the '/api/backup' endpoint or the presence of the 'X-Backup-Security' header in responses.