A newly disclosed vulnerability in Nginx UI, tracked as CVE-2026-27944, has raised major security concerns after researchers confirmed that attackers can download and decrypt server backups without authentication. The flaw, which carries a CVSS score of 9.8, represents a critical security risk for organizations that expose their Nginx UI management interface to the public internet.
Security researchers attribute the issue primarily to CWE-306 (Missing Authentication for Critical Function), along with improper handling of encryption data. When exploited, CVE-2026-27944 allows unauthenticated attackers to retrieve sensitive backup archives and decrypt them immediately, potentially exposing configuration files, credentials, session tokens, and private SSL keys.
CVE-2026-27944: Unauthenticated Access in Nginx UI Backup Endpoint
According to the official advisory, the vulnerability stems from the /api/backup endpoint in Nginx UI, which is accessible without any authentication controls. The advisory explains:
“The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.”
Because of this design flaw, attackers exploiting CVE-2026-27944 can request a full system backup and receive the data directly from the server. Even though the backup files are encrypted, the encryption keys are exposed within the same HTTP response.
This behavior reflects a classic example of CWE-306, where a critical function, downloading full system backups, is accessible without verifying the identity of the requester.
The vulnerability affects Nginx UI versions earlier than 2.3.2, while version 2.3.3 contains a patch that addresses the issue.
Technical Details Behind the CVE-2026-27944 Flaw
The root cause of CVE-2026-27944 lies in two implementation mistakes within Nginx UI.
First, the backup endpoint is registered without authentication middleware in the api/backup/router.go file:
While the restore endpoint includes a security middleware layer, the backup endpoint remains completely open. This oversight creates a severe CWE-306 security gap, allowing anyone to request sensitive backups.
Second, the encryption key and initialization vector (IV) used to protect the backup files are transmitted in plaintext within the HTTP response header. The vulnerable code in api/backup/backup.go sends the keys through the X-Backup-Security header:
The encryption scheme itself uses AES-256-CBC, with the key encoded in Base64 as a 32-byte value and the IV encoded as a 16-byte value. However, because CVE-2026-27944 exposes these keys alongside the encrypted file, attackers can decrypt the data instantly.
Sensitive Data Exposed in Nginx UI Backups
A compromised Nginx UI backup contains a big amount of sensitive operational information. The archive includes multiple encrypted files that store core server data.
For example, the nginx-ui.zip archive typically contains:
- database.db – storing user credentials and session tokens
- app.ini – application configuration with secrets
- server.key and server.cert – SSL certificates
Another archive, nginx.zip, contains:
- nginx.conf – the primary Nginx configuration file
- sites-enabled directory – virtual host configuration files
- ssl directory – private SSL keys
Additionally, a file named hash_info.txt stores SHA-256 integrity hashes for the backup components. Because CVE-2026-27944 exposes both the encrypted files and the AES keys, attackers can easily decrypt these archives and obtain a complete picture of the target server’s environment.
Proof-of-Concept Demonstrates Real-World Exploitation
Researchers also released a Proof-of-Concept (PoC) exploit demonstrating how easily CVE-2026-27944 can be abused. The exploit script sends a simple unauthenticated GET request to:
If the server is vulnerable, it responds with a backup ZIP file along with the X-Backup Security header containing the encryption key and IV. An example response header looks like this:
The first value represents the Base64-encoded AES-256 key, while the second represents the initialization vector. Once retrieved, these values can be used to decrypt the archive contents using standard cryptographic libraries.
The PoC demonstrates how attackers can automatically download, decrypt, and extract the backup files to recover sensitive data such as credentials and configuration information.
