A critical vulnerability in Nginx UI (CVE-2026-27944) allows unauthenticated attackers to download server backups and obtain the encryption keys returned in the same HTTP response. Exploitable via the /api/backup endpoint in versions earlier than 2.3.2, the flaw enables immediate decryption of archives containing configuration files, credentials, session tokens, and private SSL keys, and is fixed in 2.3.3. #CVE-2026-27944 #NginxUI
Keypoints
- CVE-2026-27944 lets unauthenticated users access the /api/backup endpoint.
- The X-Backup-Security response header exposes the AES-256-CBC key and IV in plaintext.
- Attackers can retrieve and immediately decrypt backup ZIPs containing credentials and private SSL keys.
- The root causes are missing authentication middleware and improper handling of encryption data (CWE-306).
- Nginx UI versions before 2.3.2 are vulnerable; upgrade to 2.3.3 to apply the patch.
Read More: https://thecyberexpress.com/cve-2026-27944-nginx-ui-backup-vulnerability/