Latest Nginx UI vulnerability: CVE-2026-27944 #
Nginx UI disclosed that certain versions of Nginx UI are affected by a vulnerability that allows for unauthenticated backup data downloads and the disclosure of associated encryption keys. This flaw stems from missing authentication on the /api/backup endpoint. Additionally, the AES-256 encryption key and IV (Initialization Vector) required to decrypt the backup are transmitted in plaintext within the X-Backup-Security response header. The vulnerability has been designated CVE-2026-27944 and has been rated critical with a CVSS score of 9.8.
The following versions are affected
- Nginx UI all versions prior to 2.3.3
What is Nginx UI? #
Nginx UI is a web-based graphical interface used to manage Nginx server configurations, SSL certificates, and system logs without manual command-line editing.
What is the impact? #
Successful exploitation of the vulnerability enables a remote, unauthenticated adversary to download and decrypt a full system backup containing sensitive information, such as user credentials, session tokens, SSL private keys, and Nginx configurations.
Are updates or workarounds available? #
Users are encouraged to update to the latest version as quickly as possible:
- Nginx UI upgrade to version 2.3.3 and later
How to find potentially vulnerable systems with runZero #
From the Service Inventory, use the following query to locate systems running potentially vulnerable software:
_asset.protocol:=http AND protocol:=http AND favicon.ico.image.mmh3:="-1565173320"
