A critical unauthenticated vulnerability in Nginx UI (CVE-2026-27944, CVSS 9.8) allows attackers to download full server backups and exposes sensitive configuration data, credentials, and encryption keys. The /api/backup endpoint returns the AES-256 encryption key and IV in the X-Backup-Security response header, enabling immediate decryption of backups and full compromise of the Nginx environment. #CVE-2026-27944 #NginxUI
Keypoints
- CVE-2026-27944 allows unauthenticated download of full Nginx UI backups.
- The /api/backup endpoint exposes the AES-256 encryption key and IV in the X-Backup-Security HTTP header.
- Decrypted backups can reveal admin credentials, session tokens, SSL private keys, databases, and configuration files.
- Attackers could gain management access, alter configurations, redirect traffic, or perform SSL impersonation.
- Mitigations include removing public exposure of management interfaces, using VPNs or IP allowlisting, enabling MFA, applying network segmentation, and patching promptly.