Key Findings A critical vulnerability in Nginx UI, tracked as CVE-2026-27944, allows attackers to download and decrypt full server backups without authentication. The vulnerability stems from two major flaws: the /api/backup endpoint lacks authentication, and the server exposes the AES-256 encryption key and IV in an HTTP response header. Exploitation of the vulnerability could have serious consequences as a full Nginx UI backup contains large amounts of sensitive operational
