CVE-2026-27944: Nginx-UI Vulnerable to Unauthenticated Backup Download with Encryption Key Disclosure
The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.
References
- csrc.nist.gov/publications/detail/sp/800-57-part-1/rev-5/final
- github.com/0xJacky/nginx-ui
- github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
- github.com/advisories/GHSA-g9w5-qffc-6762
- nvd.nist.gov/vuln/detail/CVE-2026-27944
- owasp.org/www-project-top-ten/2017/A2_2017-Broken_Authentication
- owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure
Code Behaviors & Features
Detect and mitigate CVE-2026-27944 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →