Critical Nginx UI Flaw Allows Unauthenticated Backup Theft and Decryption
Take action: If you are using Nginx UI, first make sure they are isolated from the internet. Then patch to version 2.3.3 immediately because the exploit is trivial - especially if your Nginix UI is exposed to the internet.
Learn More
Nginx UI, a web-based management dashboard for Nginx servers, contains a critical vulnerability that allows unauthenticated attackers to steal and decrypt full system backups.
The flaw is tracked as CVE-2026-27944 (CVSS score 9.8)- A missing authentication vulnerability combined with sensitive data exposure in the Nginx UI /api/backup endpoint. Attackers can send a simple GET request to the endpoint to trigger a full system backup without any credentials. The server then sends the backup file along with the AES-256 encryption key and initialization vector (IV) inside the X-Backup-Security HTTP response header. This allows an attacker to download the archive and immediately decrypt its contents using the provided keys, bypassing all intended security boundaries.
The decrypted backup contains sensitive operational data that allows for complete system takeover:
- Admin credentials and session tokens from database.db
- Application secrets and database connection strings from app.ini
- SSL private keys and certificates
- Nginx configuration files and virtual host settings
With this data, attackers can impersonate the website, perform man-in-the-middle attacks, or redirect traffic to malicious servers.
This vulnerability affects all versions of Nginx UI prior to 2.3.3. Security researchers have already published a Python-based proof-of-concept (PoC) that automates the download and decryption process, increasing the risk of active exploitation.
Organizations using Nginx UI must update to version 2.3.3 or later immediately. To prevent similar exposures, administrators should never expose management interfaces to the public internet.
