Critical severityNVD Advisory· Published Mar 5, 2026· Updated Mar 19, 2026
Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure
CVE-2026-27944
Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/0xJacky/Nginx-UIGo | < 2.3.3 | 2.3.3 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/0xjacky/nginx-uipkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 2.3.3+ 1 more
- (no CPE)range: < 2.3.3
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-g9w5-qffc-6762ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-27944ghsaADVISORY
- csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/finalghsaWEB
- github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762ghsax_refsource_CONFIRMWEB
- owasp.org/www-project-top-ten/2017/A2_2017-Broken_AuthenticationghsaWEB
- owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_ExposureghsaWEB
News mentions
1- CVE-2026-33032: Nginx UI Missing MCP AuthenticationRapid7 Blog · Apr 16, 2026