Warning: Critical Missing Authentication Vulnerability in Nginx UI Leads to Full System Compromise, Patch Immediately!

• Last update: 10/03/2026
• Affected software: Nginx UI versions prior to 2.3.3
• Type: CWE-306: Missing Authentication for Critical Function
• CVE/CVSS
  → CVE-2026-27944: CVSS 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Sources

GitHub - https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762

Risks

An unauthenticated attacker can download and decrypt the system backup giving them access to sensitive information including user credentials, session tokens, SSL private keys and Nginx configurations. This gives the attacker the possibility to achieve full system compromise with high impact on the CIA triad.

The Nginx UI advisory contains a proof of concept making the vulnerability even easier to exploit successfully.

Description

In Nginx UI versions prior to 2.3.3, there is authentication functionality missing in the CreateBackup function leading to sensitive information disclosure. The /api/backup endpoint is accessible without authentication, allowing an attacker to download the system backup and decrypt it with the encryption keys disclosed in the X-Backup-Security response header.

Recommended Actions

Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.

Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity and ensure a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.

While patching appliances or software to the newest version may protect against future exploitation, it does not remediate historic compromise.

References

SentinelOne - https://www.sentinelone.com/vulnerability-database/CVE-2026-27944/