Nginx UI flaw CVE-2026-27944 lets attackers download and decrypt server backups without authentication, exposing sensitive data on public management interfaces.
A critical vulnerability in Nginx UI, tracked as CVE-2026-27944 (CVSS score of 9.8), allows attackers to download and decrypt full server backups without authentication. The flaw poses a serious risk to organizations exposing the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys.
“The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header.” reads the advisory. “This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.”
The vulnerability stems from two major flaws: the /api/backup endpoint lacks authentication, allowing anyone to request a full system backup, and the server exposes the AES-256 encryption key and IV in an HTTP response header. As a result, attackers can download and immediately decrypt backups containing credentials, configuration files, databases, and SSL private keys, exposing the entire Nginx environment.
Nginx UI is a web-based management dashboard designed to simplify the administration of Nginx servers. Instead of configuring Nginx through command-line files, administrators can use a graphical interface to manage servers, monitor performance, and update configurations.
The advisory includes a Proof of Concept (PoC) exploit code for this vulnerability.
The exploitation of the vulnerability could have serious consequences because a full Nginx UI backup contains large amounts of sensitive operational data. Once decrypted, attackers may obtain admin credentials and session tokens, allowing them to take control of the management interface, alter configurations, redirect traffic, or deploy malicious rules. The archive may also include private SSL keys, enabling website impersonation or man-in-the-middle attacks. In addition, database credentials and configuration files could expose application secrets and user data.
Nginx configuration files may also reveal internal infrastructure details such as reverse proxy routes, upstream services, and virtual hosts, giving attackers a clear map of the organization’s web environment.
The vulnerability highlights a key security principle: management interfaces should never be exposed to the public internet. Organizations should restrict access through private networks, VPNs, or secure tunnels. Additional protections such as IP allowlisting, multi-factor authentication, and network segmentation can further reduce risk. Regular security reviews of APIs and admin endpoints are also essential, as small design flaws can create major security gaps.
Because Nginx is widely used in modern infrastructure, vulnerabilities in management tools like Nginx UI can quickly become serious threats. Keeping these tools secure and regularly updated is essential to protect servers and the sensitive data they handle.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2026-27944)
