Description
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Published: 2026-03-05
Score: 9.8 Critical
EPSS: 22.2% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The /api/backup endpoint in Nginx UI allows an attacker to retrieve a full system backup without any form of authentication. The response includes an X-Backup-Security header that contains the encryption key required to decrypt the backup archive. This combination of unauthenticated access and disclosure of the decryption key enables the attacker to obtain and decrypt sensitive data such as credentials, session tokens, SSL private keys and Nginx configuration files. The weakness aligns with CWE‑306 (Missing Authentication) and CWE‑311 (Weak Encryption), resulting in a serious breach of confidentiality.

Affected Systems

The flaw exists in all releases of the 0xJacky Nginx UI product before version 2.3.3. Any deployment of the web interface installed for managing an Nginx web server and that has not been updated to 2.3.3 or later is vulnerable. The issue is tied to the API component that serves backup files, not to the core Nginx server itself.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.8, indicating an extremely high severity. The EPSS score of 22% shows a moderate likelihood of exploitation in the near future. Attackers can reach the vulnerable endpoint over the network without authentication, download the backup, and immediately use the disclosed key to decrypt the data. This vulnerability is not listed in the CISA KEV catalog, but the high CVSS and non-trivial EPSS mean that an immediate patch is highly recommended. Without remediation, an unauthenticated attacker can compromise the confidentiality of all data stored in the backup.

Generated by OpenCVE AI on June 18, 2026 at 10:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nginx UI to version 2.3.3 or later, which removes the unauthenticated /api/backup endpoint and encrypts the key properly.
  • If an upgrade cannot be applied immediately, block access to the /api/backup URL with firewall rules or remove the backup endpoint from the application to prevent unauthorized use.
  • Ensure that backup files are accessible only to authenticated administrators and that backup data is encrypted in transit and at rest, limiting exposure even if an attacker manages to bypass the protection.

Generated by OpenCVE AI on June 18, 2026 at 10:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-g9w5-qffc-6762 Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
History

Thu, 19 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 10 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Nginxui
Nginxui nginx Ui
CPEs cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Vendors & Products Nginxui
Nginxui nginx Ui

Fri, 06 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Fri, 06 Mar 2026 15:30:00 +0000

Type Values Removed Values Added
First Time appeared 0xjacky
0xjacky nginx-ui
Vendors & Products 0xjacky
0xjacky nginx-ui

Thu, 05 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Description Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
Title Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure
Weaknesses CWE-306
CWE-311
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

0xjacky Nginx-ui
Nginxui Nginx Ui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-19T14:49:05.173Z

Reserved: 2026-02-25T03:11:36.690Z

Link: CVE-2026-27944

cve-icon Vulnrichment

Updated: 2026-03-06T16:01:37.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:05.840

Modified: 2026-06-17T10:27:57.110

Link: CVE-2026-27944

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T10:45:03Z

Weaknesses
  • CWE-306

    Missing Authentication for Critical Function

  • CWE-311

    Missing Encryption of Sensitive Data