Impact
The /api/backup endpoint in Nginx UI allows an attacker to retrieve a full system backup without any form of authentication. The response includes an X-Backup-Security header that contains the encryption key required to decrypt the backup archive. This combination of unauthenticated access and disclosure of the decryption key enables the attacker to obtain and decrypt sensitive data such as credentials, session tokens, SSL private keys and Nginx configuration files. The weakness aligns with CWE‑306 (Missing Authentication) and CWE‑311 (Weak Encryption), resulting in a serious breach of confidentiality.
Affected Systems
The flaw exists in all releases of the 0xJacky Nginx UI product before version 2.3.3. Any deployment of the web interface installed for managing an Nginx web server and that has not been updated to 2.3.3 or later is vulnerable. The issue is tied to the API component that serves backup files, not to the core Nginx server itself.
Risk and Exploitability
The vulnerability carries a CVSS score of 9.8, indicating an extremely high severity. The EPSS score of 22% shows a moderate likelihood of exploitation in the near future. Attackers can reach the vulnerable endpoint over the network without authentication, download the backup, and immediately use the disclosed key to decrypt the data. This vulnerability is not listed in the CISA KEV catalog, but the high CVSS and non-trivial EPSS mean that an immediate patch is highly recommended. Without remediation, an unauthenticated attacker can compromise the confidentiality of all data stored in the backup.
OpenCVE Enrichment
Github GHSA