Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.
9.8

Nginx UI Exposes Encryption Keys Without Authentication

CVE-2026-27944 GHSA-g9w5-qffc-6762
Summary

The Nginx web server's built-in user interface makes backup encryption keys available without a password. This allows anyone to download a complete backup of your system, including sensitive information like passwords and encryption keys. Update to version 2.3.3 or later to fix this issue.

What to do
  • Update github.com 0xjacky to version 2.3.3.
Affected software
VendorProductAffected versionsFix available
github.com 0xjacky <= 2.3.3 2.3.3
nginxui nginx_ui <= 2.3.3 –
Original title
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decryp...
Original description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
nvd CVSS3.1 9.8
Vulnerability type
CWE-306 Missing Authentication for Critical Function
CWE-311 Missing Encryption of Sensitive Data
Published: 5 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026