VỮNG MÃI MỘT NIỀM TIN

Critical Nginx UI Vulnerability: Hackers Can Download and Decrypt Server Backups

  • 11/03/2026

A critical vulnerability has recently been discovered in Nginx UI, a popular web-based management interface for Nginx servers. The flaw could allow attackers to download and decrypt the entire system backup without any authentication.
The vulnerability, identified as CVE-2026-27944, has a CVSS score of 9.8, which is close to the maximum severity level. With this level of risk, systems exposing Nginx UI to the internet could leak sensitive data—including user information, security keys, and SSL certificates—through nothing more than a simple HTTP request.

236a5942e1c16f9f36d0.jpg

What is CVE-2026-27944 and where is it located?

According to security researchers, the vulnerability stems from two critical mistakes in the application's source code. Nginx UI is developed using the Go programming language, and the issue affects all versions prior to 2.3.2.
The first flaw involves the /api/backup endpoint, an API used to create and download system backups. While the restore functionality is protected by authentication, the backup endpoint lacks any form of access control.
In software vulnerability classification standards, this issue is categorized as CWE-306 Missing Authentication for Critical Function. This means that anyone who can access the endpoint can request the server to generate and download a system backup—even without logging in or having administrative privileges.
The second flaw lies in the implementation of backup encryption. Although Nginx UI uses AES-256-CBC to encrypt backup files, the implementation contains a critical mistake: the server returns the decryption key directly to the requester.
This issue is classified under CWE-311 Missing Encryption of Sensitive Data, because the encryption mechanism fails to properly protect sensitive information.

Exploitation mechanism: Only one HTTP request needed

Technical analysis shows that when an attacker sends a GET request to the vulnerable endpoint, the server responds with an HTTP header named X-Backup-Security. This header contains:
  • A Base64-encoded AES-256 key
  • A 16-byte Initialization Vector (IV)
Both values are returned as plain text, allowing anyone to decrypt the downloaded backup file. This turns the entire attack process into a simple sequence:
Send request → Download backup → Decrypt data
Security researcher 0xJacky published a proof-of-concept (PoC) on GitHub, demonstrating how the vulnerability can be exploited. The PoC includes a Python script that automatically sends an HTTP request to the target server, retrieves the backup file, and decrypts it instantly using the key and IV provided in the response.
With this method, attackers do not need to log in or obtain special privileges and can perform the attack remotely over the internet.

What data could be exposed?

If successfully exploited, attackers could access the entire contents of the system backup. Sensitive data that may be exposed includes:
  • User login credentials
  • Session tokens
  • Database data
  • API keys
  • Server configuration files
  • SSL/TLS private keys
The exposure of SSL private keys is particularly dangerous, as it could allow attackers to impersonate the server or decrypt HTTPS traffic.
In enterprise environments where Nginx often functions as a reverse proxy or gateway, the impact could spread across the entire infrastructure.

Severity and scope of impact

With a CVSS score of 9.8, CVE-2026-27944 is considered a critical vulnerability.
Three main factors make it especially dangerous:
  • No authentication required
  • Remote exploitation via the internet
  • Direct access to sensitive data
Since Nginx UI is frequently deployed for web server administration, many systems may unintentionally expose this management interface to the internet, making them easy targets for automated vulnerability scanning tools.
Attack groups could integrate this exploit into internet-wide scanning bots, enabling them to automatically collect backups from numerous servers within a short time.

Mitigation and prevention

Cybersecurity experts recommend administrators take immediate action if they are using Nginx UI. Important measures include:
  • Update the software
  • Upgrade to Nginx UI version 2.3.3 or later, which patches the security flaw.
  • Change credentials
  • Reset all user passwords, API tokens, and session credentials if the system may have been accessed without authorization.
  • Renew security certificates
  • Regenerate all SSL/TLS keys and certificates if they were stored in potentially exposed backups.
  • Restrict access to the admin interface
  • Do not expose Nginx UI directly to the public internet. Access should be limited to internal networks or through a VPN.
  • Review system logs
  • Check for unusual HTTP requests to the /api/backup endpoint, particularly from unfamiliar IP addresses.
The CVE-2026-27944 vulnerability in Nginx UI is a clear example of how small security design mistakes can lead to serious consequences. A single unauthenticated endpoint and a flawed encryption implementation turned the backup system into an entry point for attackers to access the entire infrastructure.
For organizations using Nginx UI, promptly applying security patches and auditing system configurations is essential to prevent data leaks, server compromise, and exposure of critical security keys.
Source: Cyberpress

News

Recruitment

Partner

Facebook

DTG CORP

Head Office
41 Tran Khac Chan Street, Cau Kieu Ward,
HCM City, Viet Nam
DTG Building
272-274 Hoa Hung Street, Hoa Hung Ward, HCM City, Viet Nam
Tel: (028) 3865 9999
Fax: (028) 3868 3639
Mail: info@dtgcorp.com.vn
Ha Noi Office
25 Nguyen Quoc Tri Street,
Yên Hoa Ward, Ha Noi City, Viet Nam
Tel: 0916868989
Hai Phong Office
BH01-56 Vinhomes Imperia, Bach Dang Street,
Hong Bang Ward, Hai Phong City, Viet Nam
Tel: 0912193833