VYPR
Critical severityNVD Advisory· Published Mar 5, 2026· Updated Mar 19, 2026

Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure

CVE-2026-27944

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/0xJacky/Nginx-UIGo
< 2.3.32.3.3

Affected products

3

Patches

Vulnerability mechanics

References

6

News mentions

1