Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure
Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Nginx UI prior to 2.3.3 exposes an unauthenticated backup endpoint that leaks encryption keys, enabling attackers to download and decrypt sensitive system data.
Vulnerability
Overview
The vulnerability in Nginx UI (prior to version 2.3.3) stems from two critical flaws in the /api/backup endpoint. First, the endpoint is registered without any authentication middleware, making it accessible to any unauthenticated user [1]. Second, the response includes an X-Backup-Security header that contains the AES-256 encryption key and initialization vector (IV) in plaintext, formatted as key:iv [1]. This combination of missing authentication and cleartext key disclosure violates CWE-306 (Missing Authentication for Critical Function) and CWE-311 (Missing Encryption of Sensitive Data) [1].
Exploitation
An attacker can exploit this vulnerability by sending a simple GET request to /api/backup without any prior authentication or network position requirements [3]. The server responds with a backup archive file and the X-Backup-Security header containing the decryption keys. Because the keys are Base64-encoded and directly exposed, the attacker can immediately decrypt the backup using standard AES-256 decryption tools [1]. No additional privileges or user interaction are needed.
Impact
The backup archive contains highly sensitive data, including user credentials, session tokens, SSL private keys, and Nginx configurations [1][3]. With the decryption keys readily available, an attacker can extract all this information, leading to full compromise of the Nginx UI instance and potentially the underlying web server. The CVSS 3.1 score is 9.8 (Critical) due to the network-based, low-complexity attack vector and high impact on confidentiality, integrity, and availability [1][3].
Mitigation
The issue has been patched in Nginx UI version 2.3.3 [1][2]. Users are strongly advised to upgrade immediately. No workarounds are documented; the only effective mitigation is to apply the update. The project maintainers have addressed the root cause by adding authentication to the backup endpoint and removing the key disclosure from the response headers [1].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/0xJacky/Nginx-UIGo | < 2.3.3 | 2.3.3 |
Affected products
2- 0xJacky/nginx-uiv5Range: < 2.3.3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-g9w5-qffc-6762ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27944ghsaADVISORY
- csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/finalghsaWEB
- github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762ghsax_refsource_CONFIRMWEB
- owasp.org/www-project-top-ten/2017/A2_2017-Broken_AuthenticationghsaWEB
- owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_ExposureghsaWEB
News mentions
1- CVE-2026-33032: Nginx UI Missing MCP AuthenticationRapid7 Blog · Apr 16, 2026