CVE-2026-27944
Published: 05 March 2026
Summary
CVE-2026-27944 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Nginxui Nginx Ui. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 requires identification and authorization of actions permitted without authentication, directly preventing unauthenticated access to the /api/backup endpoint.
SC-14 enforces approved authorizations and protections at public access points, mitigating unauthenticated exposure of backups via the vulnerable endpoint.
AC-3 mandates enforcement of access authorizations, which would block unauthenticated requests to download and decrypt sensitive backups.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated access to /api/backup endpoint in public-facing Nginx UI enables exploitation of a public-facing application (T1190) to directly retrieve decryption keys and backups containing credentials, private keys, and configs (T1212).
NVD Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows…
more
an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Deeper analysisAI
CVE-2026-27944 affects Nginx UI, a web user interface for the Nginx web server, in versions prior to 2.3.3. The vulnerability resides in the /api/backup endpoint, which is accessible without authentication and exposes encryption keys needed to decrypt backups via the X-Backup-Security response header. This flaw, linked to CWE-306 (Missing Authentication for Critical Function) and CWE-311 (Missing Encryption of Sensitive Data), enables attackers to retrieve and immediately decrypt full system backups containing highly sensitive information such as user credentials, session tokens, SSL private keys, and Nginx configurations. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.
Any unauthenticated remote attacker with network access to the Nginx UI instance can exploit this vulnerability. By simply sending a request to the /api/backup endpoint, the attacker receives both the encrypted backup file and the decryption key in the response header, allowing immediate access to all contained sensitive data without further privileges or user interaction.
The issue has been addressed in Nginx UI version 2.3.3, where authentication requirements and key exposure were fixed. Additional details are available in the GitHub Security Advisory at https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762.
Details
- CWE(s)