{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-27944", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-25T03:11:36.690Z", "datePublished": "2026-03-05T16:28:13.988Z", "dateUpdated": "2026-03-19T14:49:05.173Z"}, "containers": {"cna": {"title": "Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure", "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762"}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"version": "< 2.3.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T16:28:13.988Z"}, "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3."}], "source": {"advisory": "GHSA-g9w5-qffc-6762", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-19T14:48:53.820842Z", "id": "CVE-2026-27944", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-19T14:49:05.173Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-27944", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-19T14:48:53.820842Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-06T16:01:37.626Z"}}], "cna": {"title": "Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure", "source": {"advisory": "GHSA-g9w5-qffc-6762", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "0xJacky", "product": "nginx-ui", "versions": [{"status": "affected", "version": "< 2.3.3"}]}], "references": [{"url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762", "name": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311: Missing Encryption of Sensitive Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-05T16:28:13.988Z"}}}, "cveMetadata": {"cveId": "CVE-2026-27944", "state": "PUBLISHED", "dateUpdated": "2026-03-19T14:49:05.173Z", "dateReserved": "2026-02-25T03:11:36.690Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-05T16:28:13.988Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*", "matchCriteriaId": "AA731011-DD7D-446C-99D7-120A6EBDD668", "versionEndExcluding": "2.3.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3."}, {"lang": "es", "value": "Nginx UI es una interfaz de usuario web para el servidor web Nginx. Antes de la versi\u00f3n 2.3.3, el endpoint /api/backup es accesible sin autenticaci\u00f3n y revela las claves de cifrado necesarias para descifrar la copia de seguridad en el encabezado de respuesta X-Backup-Security. Esto permite a un atacante no autenticado descargar una copia de seguridad completa del sistema que contiene datos sensibles (credenciales de usuario, tokens de sesi\u00f3n, claves privadas SSL, configuraciones de Nginx) y descifrarla inmediatamente. Este problema ha sido parcheado en la versi\u00f3n 2.3.3."}], "id": "CVE-2026-27944", "lastModified": "2026-03-10T18:11:27.450", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-05T19:16:05.840", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-311"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.3.3)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "nginx-ui", "source": "cna", "vendor": "0xJacky"}, "product": "nginx-ui", "vendor": "0xjacky"}], "analysis": {"en": {"generated_at": "2026-04-21T23:38:29.291165+00:00", "value": {"mitigation_remediation": ["Upgrade Nginx UI to version 2.3.3 or later, which removes the unauthenticated endpoint and encrypts the key properly.", "If an upgrade cannot be applied immediately, block access to the /api/backup URL with firewall rules or remove the backup endpoint from the application to prevent unauthorized use.", "Ensure that backup files are accessible only to authenticated administrators and that backup data is encrypted in transit and at rest, limiting exposure even if an attacker manages to bypass the protection."], "summary": {"action": "Immediate Patch", "impact": "Sensitive Data Exposure"}, "threat_synthesis": {"affected_systems": "The affected product is Nginx UI, developed by 0xJacky, versions earlier than 2.3.3. The vulnerability impacts any deployment of this web interface regardless of the underlying Nginx server version. Specific vendors or integrations are not listed beyond the primary product.", "description_and_impact": "The vulnerability resides in the Nginx UI web interface, where the /api/backup endpoint is reachable without any authentication. When accessed, the service returns a backup file along with the encryption key in the X-Backup-Security response header. This combination of an unauthenticated download and disclosure of the key satisfies the weaknesses of missing authentication for a critical function (CWE\u2011306) and missing encryption in transmission (CWE\u2011311). The effect is that an attacker can obtain a complete backup containing user credentials, session tokens, SSL private keys, and server configurations, and decrypt it immediately, compromising confidentiality and potentially leading to further compromise of the host or other systems.", "risk_and_exploitability": "The CVSS base score of 9.8 indicates critical severity, and the EPSS score of 7% shows that a non\u2011negligible portion of incidents may target this flaw. The vulnerability is not yet listed in the CISA Known Exploited Vulnerabilities catalog. Attackers can exploit the flaw remotely with a simple HTTP GET request to /api/backup on any publicly accessible or internal instance that has not been patched. No special privileges are required, and the process requires no user interaction. Once the backup and key are acquired, the attacker can decrypt the backup file straight away. The requirement of a publicly reachable Nginx UI instance and a pre\u20112.3.3 version are the only known prerequisites."}}}}, "created": "2026-03-06T15:01:34.313161+00:00", "updated": "2026-04-21T23:45:02.969582+00:00", "vendors": ["0xjacky", "0xjacky$PRODUCT$nginx-ui"]}