Nginx UI Vulnerabilities Let Attackers Download Full System Backups
A critical security flaw has been identified in Nginx UI that permits unauthorized threat actors to download and decrypt entire system backups.
Classified under the identifier CVE-2026-27944, this vulnerability carries a maximum critical severity rating of 9.8 out of 10.
This exposes highly sensitive data, including user credentials, session tokens, and SSL private keys, endangering entire server environments through severe compromise risks.
Vulnerability Analysis
The flaw arises from two primary coding deficiencies in Nginx UI’s Go implementation, specifically impacting versions prior to 2.3.2.
First, the application fails to enforce proper authentication on the /api/backup endpoint.
In contrast to the system’s restore function—which correctly employs security middleware to prevent unauthorized access—the backup routing remains completely exposed to public networks.
This deficiency corresponds to CWE-306, categorizing the missing authentication for a critical function.
Second, the system suffers from a critical cryptographic failure, tracked as CWE-311 for missing encryption of sensitive data.
While Nginx UI attempts to secure generated backup archives via AES-256-CBC encryption, it completely undermines this protection by directly transmitting decryption keys to the requester.
Any GET request to the vulnerable endpoint prompts the server to respond with an X-Backup-Security HTTP header.
This header contains the base64-encoded AES-256 key and a 16-byte Initialization Vector (IV) in plain text.
Security researcher 0xJacky recently published a proof-of-concept Python script illustrating how easily this flaw can be weaponized.
The script targets the base URL, requests the backup without login credentials, and automatically unzips files using the intercepted keys.
Due to reliance on standard HTTP requests and basic cryptographic libraries, threat actors can scale attacks rapidly through automation.
The extracted backups reveal catastrophic system secrets. The system database, user credentials, and configuration secrets are exposed in the nginx-ui.zip archive.
Additionally, the nginx.zip archive exposes core Nginx configurations, virtual host setups, and complete SSL certificate chains with private keys.
Given this vulnerability’s absence of authentication requirements and exploit simplicity, organizations utilizing Nginx UI must act immediately.
Any automated scanner or malicious bot can exploit exposed instances within seconds due to zero user interaction.
Administrators must urgently implement these remediation measures to secure environments:
- Patch Management: Immediately upgrade Nginx UI to version 2.3.3 to secure the backup endpoint.
- Credential Reset: Assume all active user credentials and session tokens are compromised and rotate them immediately.
- Certificate Rotation: Generate and deploy new SSL/TLS private keys and certificates across all affected servers.
- Network Security: Restrict Nginx UI administrative interfaces to trusted internal networks and block public internet access.