PRP: Nginx-UI CVE-2026-27944 Unauthenticated Backup Download with Encryption Key Disclosure

[wannabemrrobot]

• Identifier of the vulnerability: CVE-2026-27944
• Affected software: Nginx UI (https://github.com/0xJacky/nginx-ui)
• Type of vulnerability: Sensitive Data Exposure leading to full system compromise (credentials, SSL private keys, session tokens)
• CVSS Score: 9.8 Critical (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
• Requires authentication: No
• Impact: The /api/backup endpoint is accessible without authentication and discloses the AES-256 encryption keys in the X-Backup-Security response header. This allows an unauthenticated attacker to download and decrypt a full system backup containing user credentials, session tokens, SSL private keys, and Nginx configurations — leading to full system compromise.
• Patched version: 2.3.3
• Affected versions: < 2.3.3
• Language you would use for writing the plugin: Templated (textproto)
• Resources:
  • GHSA-g9w5-qffc-6762
  • https://nvd.nist.gov/vuln/detail/CVE-2026-27944
  • GHSA-g9w5-qffc-6762

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team