CVE-2026-27944
published 2026-03-05CVE-2026-27944: Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses…
PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
22.16%
97.4th percentile
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 0xjacky | nginx-ui | < 2.3.3 | 2.3.3 |
| github.com | 0xjacky_nginx-ui | >= 0 < 2.3.3 | 2.3.3 |
| nginxui | nginx_ui | < 2.3.3 | 2.3.3 |
Detection & IOCsextracted from sources · hover to see the quote
sigma↗
HTTP GET /api/backup returning 200 with headers containing 'X-Backup-Security' and 'application/zip'
yara↗
id: CVE-2026-27944 — Nuclei template: GET {{BaseURL}}/api/backup matching X-Backup-Security + application/zip in response header with HTTP 200- →Detect unauthenticated GET requests to /api/backup on Nginx UI instances; a vulnerable response will return HTTP 200 with both 'X-Backup-Security' and 'application/zip' in the response headers, and 'attachment; filename=' indicating a backup file download. ↗
- →Extract the value of the X-Backup-Security response header using regex 'X-Backup-Security: (.+)' — this value is the encryption key for the downloaded backup archive. ↗
- →Use Shodan query 'http.title:"nginx ui"' or FOFA query 'title="nginx ui"' to identify internet-exposed Nginx UI instances potentially vulnerable to CVE-2026-27944. ↗
- →A Nuclei template (id: CVE-2026-27944, author: omarkurt) was created by Insikt Group for this vulnerability and can be used to test potentially vulnerable instances. ↗
- ·The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The /api/backup endpoint requires no authentication in versions prior to 2.3.3, meaning any network-accessible instance is exploitable without credentials. ↗
- ·The backup contains highly sensitive data including user credentials, session tokens, SSL private keys, and Nginx configurations — decryption is trivially possible since the key is returned in the same response header. ↗
- ·The Nuclei template has a max-request of 1, meaning a single HTTP GET to /api/backup is sufficient to confirm exploitation — low noise, high fidelity detection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI
osv·2026-03-10
CVE-2026-27944 Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure in github.com/0xJacky/Nginx-UI.
NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions.
(If this is causing false-positive reports from vulnerability scanners, please suggest an edit to the report.)
The additional affected modules and versions are: github.com/0xJacky/Nginx-UI before v2.3.3.
OSV
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
osv·2026-03-05
CVE-2026-27944 [CRITICAL] Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
## Summary
The `/api/backup` endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the `X-Backup-Security` response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.
## Vulnerability Details
| Field | Value |
|-------|-------|
| CWE | CWE-306: Missing Authentication for Critical Function + CWE-311: Missing Encryption of Sensitive Data |
| Affected File | `api/backup/router.go` |
| Affected Function | `CreateBackup` (lines 8-11 in router, implementation in `api/backup/backup.go:13-38`)
GHSA
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
ghsa·2026-03-05
CVE-2026-27944 [CRITICAL] CWE-306 Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
## Summary
The `/api/backup` endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the `X-Backup-Security` response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.
## Vulnerability Details
| Field | Value |
|-------|-------|
| CWE | CWE-306: Missing Authentication for Critical Function + CWE-311: Missing Encryption of Sensitive Data |
| Affected File | `api/backup/router.go` |
| Affected Function | `CreateBackup` (lines 8-11 in router, implementation in `api/backup/backup.go:13-38`)
VulnCheck
nginxui nginx_ui Missing Authentication for Critical Function
vulncheck·2026·CVSS 9.8
CVE-2026-27944 [CRITICAL] nginxui nginx_ui Missing Authentication for Critical Function
nginxui nginx_ui Missing Authentication for Critical Function
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Affected: nginxui nginx_ui
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/
No detection rules found.
Nuclei
Nginx UI < 2.3.3 - Information Disclosure
nuclei·CVSS 9.8
CVE-2026-27944 [CRITICAL] Nginx UI < 2.3.3 - Information Disclosure
Nginx UI < 2.3.3 - Information Disclosure
Nginx UI < 2.3.3 contains an information disclosure vulnerability caused by unauthenticated access to /api/backup endpoint exposing encryption keys in X-Backup-Security header, letting unauthenticated attackers download and decrypt full system backups.
Template:
id: CVE-2026-27944
info:
name: Nginx UI < 2.3.3 - Information Disclosure
author: omarkurt
severity: critical
description: |
Nginx UI < 2.3.3 contains an information disclosure vulnerability caused by unauthenticated access to /api/backup endpoint exposing encryption keys in X-Backup-Security header, letting unauthenticated attackers download and decrypt full system backups.
impact: |
Unauthenticated attackers can access and decrypt full system backups, exposing sensitive data including
Recorded Future
March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
blogs_recorded_future·2026-04-13·CVSS 9.8
[CRITICAL] March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
## March 2026 CVE Landscape: 31 High-Impact Vulnerabilities Identified, Interlock Ransomware Group Exploits Cisco FMC Zero-Day
In March 2026, Insikt Group® identified 31 high-impact vulnerabilities that should be prioritized for remediation , 29 of which had a Very Critical Recorded Future Risk Score.
These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This month’s most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.
One vulnerability ( CVE-2017-7921 affecting Hikvision) is approximately nine ye
Greynoiseio
NoiseLetter March 2026
blogs_greynoiseio
NoiseLetter March 2026
Events, events… and yes, even more events. 🌍 GreyNoise has been on the move. March kept us busy with stops at eCrimes in London and SecIT in Hanover—but we’re just getting started. Over the next few months, we’ll be hitting the road for CrowdStrike CrowdTours across eight cities, heading to Glasgow to speak and sponsor CyberUK, and making our way to Tampa for H-ISAC. If you’ll be at any of these (or nearby), we’d love to connect.
And while we’ve been racking up miles, we haven’t slowed down on the research front. We’ve just released some exciting new findings—with even more coming in the next few weeks—so keep an eye out.
Thanks, as always, for being part of the GreyNoise community.
Featured
About this new report
Every enterprise firewall processes traffic from residential IP space. T
Wiz
CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.8
CVE-2026-27944 [CRITICAL] CVE-2026-27944 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-27944 :
Nginx UI vulnerability analysis and mitigation
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Source : NVD
## 9.8
Score
Published March 5, 2026
Severity CRITICAL
CNA Score 9.8
Affected Technologies
Nginx UI
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploita
2026-03-05
Published
Exploited in the wild