Nginx UI Vulnerabilities Let Attackers Download Full System Backups
A critical security flaw in Nginx UI, tracked as CVE-2026-27944, allows unauthenticated attackers to download full system backups and instantly decrypt them, exposing user credentials, SSL private keys, session tokens, and Nginx configurations. The vulnerability has a CVSS 3.1 score of 9.8 (Critical) and affects all versions before 2.3.3.
The vulnerability stems from two compounding security failures in the Nginx UI codebase. The CVE is classified as CWE-306 (Missing Authentication for Critical Function) and CWE-311 (Missing Encryption of Sensitive Data), both of which contribute equally to the exploit’s severity.
The first flaw involves a completely unprotected /api/backup endpoint. In api/backup/router.go, the backup route is registered without any authentication middleware, meaning any unauthenticated user on the network can send a basic GET /api/backup HTTP request and receive a full system backup archive, no credentials, no session, no token required. By contrast, the restore endpoint on the same router correctly enforces middleware protection, making the omission on the backup side a clear oversight.
The second flaw eliminates any remaining protection the encryption might have offered. Even though the backup archive is encrypted with AES-256-CBC, the decryption key and initialization vector (IV) are sent back in plaintext inside the X-Backup-Security HTTP response header, formatted as base64_key:base64_iv.
An attacker receives the encrypted file and the keys to unlock it in a single response, rendering the encryption entirely pointless.
Once downloaded and decrypted, the backup archive reveals deeply sensitive system contents. The nginx-ui.zip component contains database.db with user credentials and active session tokens, along with app.ini holding application secrets and server.key/cert SSL certificate files.
The nginx.zip component exposes the full nginx.conf, all virtual host configurations under sites-enabled/, and SSL private keys stored in the ssl/ directory. A hash_info.txt file rounds out the archive with SHA-256 integrity hashes and version metadata.
A working Python PoC confirms the full exploit chain. The attacker runs a single command targeting the victim’s Nginx UI port, and the script automatically fetches the backup, extracts the AES-256 key and IV from the X-Backup-Security response header, and decrypts all archive contents in seconds.
According to the nginx advisory, a raw HTTP trigger is as simple as a plain GET /api/backup text with no authentication headers whatsoever. Security researcher tenbbughunters is credited with discovering and responsibly disclosing the vulnerability.
Mitigation:
Users should immediately upgrade to Nginx UI version 2.3.3, which patches the vulnerability by enforcing authentication on the /api/backup endpoint and removing encryption key disclosure from response headers.
Organizations running Nginx UI in internet-facing or shared environments should treat this as a priority patch, given the zero-privilege remote exploitability. Until patching is applied, network-level controls, such as firewall rules blocking access to the Nginx UI management port from untrusted sources, can help reduce the attack surface.
Site: cybersecuritypath.com
About the Author
