CVE-2026-27944
Undergoing Analysis Undergoing Analysis - In Progress
Unauthenticated Backup Disclosure in Nginx UI via /api/backup

Publication date: 2026-03-05

Last updated on: 2026-03-10

Assigner: GitHub, Inc.

Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-05
Last Modified
2026-03-10
Generated
2026-06-16
AI Q&A
2026-03-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27944
EUVD
EUVD-2026-9847
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
nginxui nginx_ui to 2.3.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-311 The product does not encrypt sensitive or critical information before storage or transmission.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27944 is a critical vulnerability in the nginx-ui package versions prior to 2.3.3. The vulnerability exists because the /api/backup endpoint is accessible without any authentication, allowing anyone to download a full system backup.

Although the backup data is encrypted using AES-256-CBC, the encryption key and initialization vector (IV) are disclosed in plaintext in the HTTP response header named X-Backup-Security. This means an attacker can immediately decrypt the backup.

The backup contains sensitive information such as user credentials, session tokens, SSL private keys, and Nginx configuration files. This combination of missing authentication and encryption key disclosure allows an unauthenticated attacker to fully access and decrypt sensitive system data.

Impact Analysis

This vulnerability can have severe impacts including full compromise of the confidentiality, integrity, and availability of your system.

  • An attacker can download a full system backup without any authentication.
  • The attacker can decrypt the backup immediately because the encryption keys are exposed in the HTTP headers.
  • Sensitive data such as user credentials, session tokens, SSL private keys, and configuration files can be stolen.
  • This can lead to unauthorized access, data breaches, and potential further exploitation of the system.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the /api/backup endpoint is accessible without authentication and if it discloses the encryption keys in the X-Backup-Security HTTP response header.

A simple way to test this is to send an unauthenticated GET request to the /api/backup endpoint and observe the response headers and content.

  • Use curl to send a GET request and check for the X-Backup-Security header: curl -i http://<nginx-ui-host>/api/backup
  • Look for the presence of the X-Backup-Security header in the response, which contains the Base64-encoded AES key and IV.
  • If the backup file is returned without requiring authentication and the header is present, the system is vulnerable.
Mitigation Strategies

The immediate mitigation step is to upgrade nginx-ui to version 2.3.3 or later, where the vulnerability is patched.

The patch adds authentication middleware to the /api/backup endpoint and prevents the encryption key disclosure in the HTTP headers.

Until the upgrade can be performed, restrict access to the /api/backup endpoint by network controls such as firewall rules or reverse proxy configurations to prevent unauthenticated access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27944. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart