CVE-2026-27944

Name of the Vulnerable Software and Affected Versions Nginx UI versions prior to 2.3.3

Description Nginx UI, a web user interface for the Nginx web server, contains a critical flaw. The /api/backup endpoint is accessible without authentication, and it discloses the encryption keys needed to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data, including user credentials, session tokens, SSL private keys, and Nginx configurations, and decrypt it immediately. Exploitation is straightforward, requiring only a single HTTP GET request. The backup archive contains files like database.db, app.ini, server.key/cert, nginx.conf, and sites-enabled/*, all encrypted with AES-256-CBC, but the encryption keys are exposed in the HTTP response header. This vulnerability has been assigned a CVSS score of 9.8 (Critical).

Recommendations Update to version 2.3.3 or later.