Vulnerabilities in the Nginx UI Full system backups can be downloaded and decrypted by unauthorized attackers thanks to a recently identified critical vulnerability in Nginx UI This article explores vulnerabilities nginx ui. . This defect, tracked as CVE-2026-27944, has a maximum CVSS score of 9.8 and is classified as CWE-306 and CWE-311.
It affects all Nginx UI versions prior to 2.3.2, so administrators must update to 2.3 in order to apply the security patch.Third. Two significant security flaws in the Nginx UI Go codebase are the source of the vulnerability. Unlike other protected management endpoints, the /api/backup endpoint is completely exposed to the public internet due to the lack of authentication checks. Additionally, the system incorrectly transmits the Initialization Vector (IV) and Base64-encoded AES-256 encryption key in plain text within the X-Backup-Security HTTP response header.
An attacker downloads the encrypted ZIP archives and uses the keys in the request header to instantly unlock their contents after sending a standard GET request to the backup endpoint. There is already a public Proof-of-Concept (PoC) script that shows how simple it is to use Python to exploit this vulnerability in order to extract the targeted files. The attacker can access extremely sensitive system files, such as the database.db file that contains user credentials and the app.ini configuration file, once the backup has been decrypted.
This exploit gives the attacker complete access to all SSL certificates, private keys, Nginx configuration files, and virtual host configurations. Threat actors can easily take control of the Nginx UI management console or use man-in-the-middle attacks to intercept secure communications with this information.
It is also possible to use the stolen session tokens and credentials as a weapon to launch more serious network intrusions. Reductions Upgrading the Nginx UI to version 2.3.3 or later is the first and most important step in mitigation and response. Organizations should also implement stringent access control by limiting network access to the /api/backup endpoint via firewalls, per GitHub's recommendation.
Security teams should limit all management interfaces to trusted internal networks only and prevent public access to the /api/backup endpoint until the patch can be implemented. Security teams must keep an eye on server logs for unexpected or unauthenticated GET /api/backup HTTP requests in order to detect them proactively.
Administrators should also regularly check outgoing HTTP responses for the X-Backup-Security header, which contains the leaked Base64 keys, in order to detect any direct exposure. For daily cybersecurity updates, check LinkedIn and X. To have your stories featured, get in touch with us.
