DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-27944: CVE-2026-27944: Unauthenticated Backup Download and Encryption Key Disclosure in Nginx UI

#security #cve #cybersecurity

CVE-2026-27944: Unauthenticated Backup Download and Encryption Key Disclosure in Nginx UI

Vulnerability ID: CVE-2026-27944
CVSS Score: 9.8
Published: 2026-03-05

A critical authentication bypass and information disclosure vulnerability exists in Nginx UI versions prior to 2.3.3. The application exposes the /api/backup endpoint without requiring authentication, allowing unauthenticated remote attackers to trigger and download full system backups. Compounding this issue, the backup generation logic explicitly includes the AES-256 encryption key and initialization vector (IV) in the HTTP response headers, enabling immediate decryption of the downloaded archives. This flaw permits complete system compromise through the exfiltration of database credentials, SSL private keys, and application configuration files.

TL;DR

Unauthenticated attackers can download full system backups from Nginx UI instances (< 2.3.3) via the /api/backup endpoint. The server response includes the AES decryption keys in the X-Backup-Security header, allowing attackers to decrypt sensitive data like database credentials and SSH keys. Fixed in version 2.3.3.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-306 (Missing Auth), CWE-311 (Missing Encryption)
  • CVSS v3.1: 9.8 (Critical)
  • Attack Vector: Network (Remote)
  • Impact: Information Disclosure, Full System Compromise
  • Exploit Status: PoC Available
  • KEV Status: Not Listed (as of March 2026)

Affected Systems

  • Nginx UI < 2.3.3
  • Nginx UI: < 2.3.3 (Fixed in: 2.3.3)

Exploit Details

Mitigation Strategies

  • Immediate Patching
  • Network Segmentation
  • Credential Rotation

Remediation Steps:

  1. Upgrade Nginx UI to version 2.3.3 or later immediately.
  2. If immediate upgrade is not possible, restrict access to the /api/backup endpoint using an external firewall or reverse proxy rule (e.g., blocking the URI path).
  3. Rotate all SSL certificates managed by the compromised Nginx UI instance.
  4. Reset all administrative passwords and regenerate any API keys stored within the application.
  5. Review access logs for GET requests to /api/backup originating from unknown IP addresses.

References

Read the full report for CVE-2026-27944 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)