The vulnerability resides in the Nginx UI web interface, where the /api/backup endpoint is reachable without any authentication. When accessed, the service returns a backup file along with the encryption key in the X-Backup-Security response header. This combination of an unauthenticated download and disclosure of the key satisfies the weaknesses of missing authentication for a critical function (CWE‑306) and missing encryption in transmission (CWE‑311). The effect is that an attacker can obtain a complete backup containing user credentials, session tokens, SSL private keys, and server configurations, and decrypt it immediately, compromising confidentiality and potentially leading to further compromise of the host or other systems.

The affected product is Nginx UI, developed by 0xJacky, versions earlier than 2.3.3. The vulnerability impacts any deployment of this web interface regardless of the underlying Nginx server version. Specific vendors or integrations are not listed beyond the primary product.

The CVSS base score of 9.8 indicates critical severity, and the EPSS score of 7% shows that a non‑negligible portion of incidents may target this flaw. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw remotely with a simple HTTP GET request to /api/backup on any publicly accessible or internal instance that has not been patched. No special privileges are required, and the process requires no user interaction. Once the backup and key are acquired, the attacker can decrypt the backup file straight away. The requirement of a publicly reachable Nginx UI instance and a pre‑2.3.3 version are the only known prerequisites.