Researchers uncover Nginx UI flaw that decrypts full backups

Security researchers disclosed a critical vulnerability in the Go-based Nginx UI, tracked as CVE-2026-27944 and carrying a CVSS score of 9.8, that allows unauthenticated remote attackers to request a full system backup and receive the AES decryption material in the response. The flaw affects all Nginx UI versions before 2.3.2; vendors and researchers advise upgrading to Nginx UI 2.3.3 or later immediately and restricting access to management interfaces.

The bug centers on the /api/backup endpoint. Securityaffairs summarized the core failure bluntly: “The `/api/backup` endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the `X-Backup-Security` response header.” Multiple reports say the header contains Base64-encoded AES keys and a 16-byte initialization vector, and that backups are encrypted using AES-256-CBC in practice. The combination of an unauthenticated backup download and a header that reveals the exact key and IV hands attackers the means to decrypt archives in short order.

The root cause is twofold: missing authentication on a critical function and a cryptographic misimplementation that returns decryption material to the client. Cyberpress described the coding failures this way: “The first issue lies in the /api/backup endpoint, which fails to enforce proper authentication controls. Unlike the secure restore function that uses middleware to filter unauthorized access, the backup route remains publicly accessible.” Cyberpress added that “Although Nginx UI attempts to encrypt backup archives using AES-256-CBC, it undermines its own security by returning the decryption keys to the requester.”

Exploitability is straightforward. Gbhackers documented a proof-of-concept Python script by researcher 0xJacky and reported that it automates the full chain: “The script targets the base URL, requests the backup without any login credentials, and automatically unzips the downloaded files using the intercepted keys.” Gbhackers warned that “Because the exploit relies on standard HTTP requests and basic cryptographic libraries, threat actors can quickly automate attacks at scale.” Cyberpress likewise warned that the attack requires no authentication and can be executed remotely, placing exposed deployments at immediate risk.

The practical consequences are severe. Reports list exposed contents in the nginx-ui.zip backup archive as SSL certificates and private keys, Nginx configuration and virtual host files, user credentials and session tokens, and system databases. Cyber Security News framed the impact starkly: “Through this exploit, all SSL certificates, private keys, Nginx configuration files, and virtual host setups are fully exposed to the attacker.” With those artifacts an attacker can take over Nginx management consoles or perform man-in-the-middle attacks: “With this information, threat actors can effortlessly take over the Nginx UI management console or intercept secure communications via man-in-the-middle attacks,” the outlet added.

Administrators must act immediately: upgrade to Nginx UI 2.3.3 or later, block public access to /api/backup with firewall rules and network controls, and restrict management interfaces to trusted internal networks. Teams should monitor logs for unauthenticated GET requests to /api/backup, inspect outgoing responses for the X-Backup-Security header, and look for downloads of nginx-ui.zip. If exploitation is suspected, rotate credentials and TLS keys, revoke and reissue certificates where feasible, and conduct a full incident response. Treat any exposed deployment as compromised until these checks and mitigations are completed.