CVE-2026-27944

Medienbericht

Exploit

EPSS 22.16%
Veröffentlicht 05.03.2026 16:28:13
Zuletzt bearbeitet 10.03.2026 18:11:27
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Nginx UI: Unauthenticated Backup Download with Encryption Key Disclosure

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Nginxui ≫ Nginx Ui Version < 2.3.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	22.16%	0.974

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE-311 Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.

VulnDex Intel

Media Report

17.03.2026 22:19

https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2026-27944

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-27944

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-27944

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-27944