leekthehack

VulnWatch Monday: CVE-2026-27944 ๐Ÿ”“

A critical vulnerability in Nginx UI allows unauthenticated attackers to download and decrypt full system backups. It affects all versions before 2.3.2.

โš™๏ธ The flaw is caused by two security failures: the /api/backup endpoint lacks authentication, and the system exposes the Base64โ€‘encoded AESโ€‘256 encryption key and IV in the X-Backup-Security HTTP header.

Attackers can simply send a GET request to download encrypted backup archives and immediately decrypt them using the leaked keys.

๐Ÿ”“ Decrypted backups may reveal user credentials (database.db), configuration files (app.ini), SSL certificates, private keys and Nginx configurations, enabling attackers to take over the Nginx UI console, intercept traffic or move deeper into the network.

A public Python PoC demonstrating the exploit is already available.

๐Ÿ”ง Fix? Yes: Nginx UI version 2.3.3

๐Ÿ”Ž GitHub advisory: https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
๐Ÿ’พ View JSON: https://cveawg.mitre.org/api/cve/CVE-2026-27944

Mar 9 at 6:02pmWeb