CVE-2026-27944
CRITICAL
CVSS 9.8
No EPSS data
Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
CVSS details
EPSS
This CVE is not currently listed in the EPSS dataset.
Show JSON
{
"cve": {
"id": "CVE-2026-27944",
"cveTags": [],
"metrics": {
"cvssMetricV31": [
{
"type": "Secondary",
"source": "security-advisories@github.com",
"cvssData": {
"scope": "UNCHANGED",
"version": "3.1",
"baseScore": 9.8,
"attackVector": "NETWORK",
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"integrityImpact": "HIGH",
"userInteraction": "NONE",
"attackComplexity": "LOW",
"availabilityImpact": "HIGH",
"privilegesRequired": "NONE",
"confidentialityImpact": "HIGH"
},
"impactScore": 5.9,
"exploitabilityScore": 3.9
}
]
},
"published": "2026-03-05T19:16:05.840",
"references": [
{
"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762",
"tags": [
"Exploit",
"Vendor Advisory"
],
"source": "security-advisories@github.com"
}
],
"vulnStatus": "Analyzed",
"weaknesses": [
{
"type": "Primary",
"source": "security-advisories@github.com",
"description": [
{
"lang": "en",
"value": "CWE-306"
},
{
"lang": "en",
"value": "CWE-311"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3."
},
{
"lang": "es",
"value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. Antes de la versi\u00f3n 2.3.3, el endpoint /api/backup es accesible sin autenticaci\u00f3n y revela las claves de cifrado necesarias para descifrar la copia de seguridad en el encabezado de respuesta X-Backup-Security. Esto permite a un atacante no autenticado descargar una copia de seguridad completa del sistema que contiene datos sensibles (credenciales de usuario, tokens de sesi\u00f3n, claves privadas SSL, configuraciones de Nginx) y descifrarla inmediatamente. Este problema ha sido parcheado en la versi\u00f3n 2.3.3."
}
],
"lastModified": "2026-03-10T18:11:27.450",
"configurations": [
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "AA731011-DD7D-446C-99D7-120A6EBDD668",
"versionEndExcluding": "2.3.3"
}
],
"operator": "OR"
}
]
}
],
"sourceIdentifier": "security-advisories@github.com"
}
}