A newly discovered critical vulnerability in Nginx UI allows unauthenticated attackers to download and decrypt full system backups.
Tracked as CVE-2026-27944, this flaw is categorized as CWE-306 and CWE-311, carrying a maximum CVSS score of 9.8.
It affects all versions of the Nginx UI before 2.3.2, requiring administrators to apply the security patch by upgrading to 2.3.3.
The vulnerability stems from two major security failures in the Nginx UI Go codebase.
The /api/backup endpoint lacks authentication checks, leaving it fully exposed to the public internet, unlike other protected management endpoints.
Furthermore, the system mistakenly sends the Base64-encoded AES-256 encryption key and Initialization Vector (IV) in plain text within the X-Backup-Security HTTP response header.
An attacker sends a standard GET request to the backup endpoint, downloads the encrypted ZIP archives, and uses the keys provided in the request header to unlock their contents instantly.
A public Proof-of-Concept (PoC) script is already available, demonstrating how easily this flaw can be exploited with Python to extract the targeted files.
Once the backup is decrypted, the attacker gains access to highly sensitive system files, including the database.db file containing user credentials and the app.ini configuration file.
Through this exploit, all SSL certificates, private keys, Nginx configuration files, and virtual host setups are fully exposed to the attacker.
With this information, threat actors can effortlessly take over the Nginx UI management console or intercept secure communications via man-in-the-middle attacks.
The stolen credentials and session tokens can also be weaponized to pivot into deeper network intrusions.
Mitigations
Regarding mitigation and response, upgrading the Nginx UI to version 2.3.3 or later is the immediate, most critical action.
According to GitHub’s advisory, organizations should also enforce strict access control by restricting network access to the /api/backup endpoint using firewalls.
Until the patch can be applied, security teams should block public access to the /api/backup endpoint and restrict all management interfaces to trusted internal networks only.
For proactive detection purposes, security teams must monitor server logs for unexpected or unauthenticated GET /api/backup HTTP requests.
Additionally, to check for direct exposure, administrators should continuously inspect outgoing HTTP responses for the presence of the X-Backup-Security header containing the leaked Base64 keys.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
