CVE-2026-27944

Critical CVSS: 9.8

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

Vendor

Nginxui

Product

Nginx Ui

CWE

CWE-306

Yayın Tarihi

2026-03-05 19:16:05

Güncelleme

2026-03-10 18:11:27

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-306 Nginx Ui CRITICAL Nginxui 2026

Referanslar

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762

Benzer Kayıtlar

Critical

CVE-2026-33026

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism…

Medium

CVE-2026-33029

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, an input validation vulnerability in…

High

CVE-2026-33030

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.3 and prior, Nginx-UI contains an Insecure Di…

Critical

CVE-2026-33032

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context…

Medium

CVE-2026-33027

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui configuration improperly…

High

CVE-2026-33028

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui application is vulnerabl…