Critical Nginx UI flaw allows unauthenticated backup downloads and decryption

A critical vulnerability in Nginx UI, identified as CVE-2026-27944, allows attackers to download and decrypt full server backups without any authentication. This flaw poses a significant risk to organizations that expose the management interface, potentially revealing sensitive configuration data, credentials, and encryption keys, as reported by Security Affairs.

The vulnerability stems from an unauthenticated "/api/backup" endpoint that allows attackers to request a full system backup. Crucially, the AES-256 encryption key and initialization vector (IV) are exposed in the "X-Backup-Security" response header. This enables an unauthenticated attacker to download the backup, which can contain sensitive information such as user credentials, session tokens, SSL private keys, and Nginx configurations, and immediately decrypt it. A proof-of-concept exploit is available, highlighting the ease of exploitation. The consequences include potential takeover of the management interface, traffic redirection, and man-in-the-middle attacks using stolen SSL keys.

This vulnerability underscores the critical importance of never exposing management interfaces to the public internet. Organizations must restrict access via private networks or secure tunnels and implement additional security measures like IP allowlisting and multi-factor authentication. Regular security reviews of APIs and administrative endpoints are essential to prevent minor design flaws from creating significant security gaps. Given Nginx's widespread use, vulnerabilities in its management tools can have far-reaching implications for infrastructure security.

Source: Security Affairs