cbcvebase.
CVE-2026-27944
published 2026-03-05

CVE-2026-27944: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses…

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
22.16%
97.4th percentile
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

Affected

3 ranges
VendorProductVersion rangeFixed in
0xjackynginx-ui< 2.3.32.3.3
github.com0xjacky_nginx-ui>= 0 < 2.3.32.3.3
nginxuinginx_ui< 2.3.32.3.3

Detection & IOCsextracted from sources · hover to see the quote

path/api/backup
otherX-Backup-Security
sigma
HTTP GET /api/backup returning 200 with headers containing 'X-Backup-Security' and 'application/zip'
yara
id: CVE-2026-27944 — Nuclei template: GET {{BaseURL}}/api/backup matching X-Backup-Security + application/zip in response header with HTTP 200
  • Detect unauthenticated GET requests to /api/backup on Nginx UI instances; a vulnerable response will return HTTP 200 with both 'X-Backup-Security' and 'application/zip' in the response headers, and 'attachment; filename=' indicating a backup file download.
  • Extract the value of the X-Backup-Security response header using regex 'X-Backup-Security: (.+)' — this value is the encryption key for the downloaded backup archive.
  • Use Shodan query 'http.title:"nginx ui"' or FOFA query 'title="nginx ui"' to identify internet-exposed Nginx UI instances potentially vulnerable to CVE-2026-27944.
  • A Nuclei template (id: CVE-2026-27944, author: omarkurt) was created by Insikt Group for this vulnerability and can be used to test potentially vulnerable instances.
  • ·The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The /api/backup endpoint requires no authentication in versions prior to 2.3.3, meaning any network-accessible instance is exploitable without credentials.
  • ·The backup contains highly sensitive data including user credentials, session tokens, SSL private keys, and Nginx configurations — decryption is trivially possible since the key is returned in the same response header.
  • ·The Nuclei template has a max-request of 1, meaning a single HTTP GET to /api/backup is sufficient to confirm exploitation — low noise, high fidelity detection.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.