CVE-2026-27944
Unauthenticated Backup Disclosure in Nginx UI via /api/backup
Publication date: 2026-03-05
Last updated on: 2026-03-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nginxui | nginx_ui | to 2.3.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-311 | The product does not encrypt sensitive or critical information before storage or transmission. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27944 is a critical vulnerability in the nginx-ui package versions prior to 2.3.3. The vulnerability exists because the /api/backup endpoint is accessible without any authentication, allowing anyone to download a full system backup.
Although the backup data is encrypted using AES-256-CBC, the encryption key and initialization vector (IV) are disclosed in plaintext in the HTTP response header named X-Backup-Security. This means an attacker can immediately decrypt the backup.
The backup contains sensitive information such as user credentials, session tokens, SSL private keys, and Nginx configuration files. This combination of missing authentication and encryption key disclosure allows an unauthenticated attacker to fully access and decrypt sensitive system data.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including full compromise of the confidentiality, integrity, and availability of your system.
- An attacker can download a full system backup without any authentication.
- The attacker can decrypt the backup immediately because the encryption keys are exposed in the HTTP headers.
- Sensitive data such as user credentials, session tokens, SSL private keys, and configuration files can be stolen.
- This can lead to unauthorized access, data breaches, and potential further exploitation of the system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the /api/backup endpoint is accessible without authentication and if it discloses the encryption keys in the X-Backup-Security HTTP response header.
A simple way to test this is to send an unauthenticated GET request to the /api/backup endpoint and observe the response headers and content.
- Use curl to send a GET request and check for the X-Backup-Security header: curl -i http://<nginx-ui-host>/api/backup
- Look for the presence of the X-Backup-Security header in the response, which contains the Base64-encoded AES key and IV.
- If the backup file is returned without requiring authentication and the header is present, the system is vulnerable.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade nginx-ui to version 2.3.3 or later, where the vulnerability is patched.
The patch adds authentication middleware to the /api/backup endpoint and prevents the encryption key disclosure in the HTTP headers.
Until the upgrade can be performed, restrict access to the /api/backup endpoint by network controls such as firewall rules or reverse proxy configurations to prevent unauthenticated access.