CVE-2026-27944

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-05 19:16

Updated : 2026-03-10 18:11

NVD link : CVE-2026-27944

Mitre link : CVE-2026-27944

CVE.ORG link : CVE-2026-27944

JSON object : View

Products Affected

nginxui

nginx_ui

CWE

CWE-306

Missing Authentication for Critical Function

CWE-311

Missing Encryption of Sensitive Data

{"id": "CVE-2026-27944", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-05T19:16:05.840", "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-311"}]}], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. Antes de la versi\u00f3n 2.3.3, el endpoint /api/backup es accesible sin autenticaci\u00f3n y revela las claves de cifrado necesarias para descifrar la copia de seguridad en el encabezado de respuesta X-Backup-Security. Esto permite a un atacante no autenticado descargar una copia de seguridad completa del sistema que contiene datos sensibles (credenciales de usuario, tokens de sesi\u00f3n, claves privadas SSL, configuraciones de Nginx) y descifrarla inmediatamente. Este problema ha sido parcheado en la versi\u00f3n 2.3.3."}], "lastModified": "2026-03-10T18:11:27.450", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "AA731011-DD7D-446C-99D7-120A6EBDD668", "versionEndExcluding": "2.3.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}