Cyber Posture

CVE-2026-27944

CriticalPublic PoC

Published: 05 March 2026

Published
05 March 2026
Modified
10 March 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0583 90.6th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows…

more

an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 requires identification and authorization of actions permitted without authentication, directly preventing unauthenticated access to the /api/backup endpoint.

SC-14 Public Access Protections good match
prevent

SC-14 enforces approved authorizations and protections at public access points, mitigating unauthenticated exposure of backups via the vulnerable endpoint.

AC-3 Access Enforcement good match
prevent

AC-3 mandates enforcement of access authorizations, which would block unauthenticated requests to download and decrypt sensitive backups.

Security SummaryAI

CVE-2026-27944 affects Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.3. The vulnerability resides in the /api/backup endpoint, which is accessible without authentication and exposes encryption keys needed to decrypt backups via the X-Backup-Security response header. This flaw, linked to CWE-306 (Missing Authentication for Critical Function) and CWE-311 (Missing Encryption of Sensitive Data), enables attackers to retrieve and immediately decrypt full system backups containing highly sensitive information such as user credentials, session tokens, SSL private keys, and Nginx configurations. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Any unauthenticated remote attacker with network access to the Nginx UI instance can exploit this vulnerability. By simply sending a request to the /api/backup endpoint, the attacker receives both the encrypted backup file and the decryption key in the response header, allowing immediate access to all contained sensitive data without further privileges or user interaction.

The issue has been addressed in Nginx UI version 2.3.3, where authentication requirements and key exposure were fixed. Additional details are available in the GitHub Security Advisory at https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762.

Details

CWE(s)
CWE-306CWE-311

Affected Products

nginxui
nginx ui
≤ 2.3.3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
attack.mitre.org →
Why these techniques?

Unauthenticated access to /api/backup endpoint in public-facing Nginx UI enables exploitation of a public-facing application (T1190) to directly retrieve decryption keys and backups containing credentials, private keys, and configs (T1212).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References