CVE-2026-27944 – Unauthenticated Backup Download with Encryption Key Disclosure

CVE-2026-27944 affects Nginx UI, a web-based management interface for the Nginx web server. The CVSS score is 9.8, which is Critical severity. No real-world exploitation has been confirmed. The /api/backup endpoint is accessible without authentication, and the server returns the AES-256 encryption key and initialization vector in a plain HTTP response header, allowing an attacker to download and immediately decrypt a full system backup. Exposed data includes administrator credentials, active session tokens, SSL private keys, and the complete Nginx configuration.

For any organization with the management interface exposed to the internet, this vulnerability represents a full server compromise requiring zero credentials and zero skill. Stolen SSL private keys enable man-in-the-middle attacks against your own users. Exposed credentials hand attackers administrative control of the web server and everything it fronts. The fix is available in Nginx UI version 2.3.3. All earlier versions are affected and must be updated immediately.