How severe is CVE-2026-27944?

CVE-2026-27944 is rated critical severity with a CVSS score of 9.8 out of 10.

Is there a public proof-of-concept (PoC) for CVE-2026-27944?

Yes. Public exploit material exists via 3 GitHub PoC repository. See the references section for direct links. Treat all linked code as untrusted and use only in authorized, isolated lab environments.

What packages are affected by CVE-2026-27944?

CVE-2026-27944 affects: github.com/0xJacky/Nginx-UI (fixed in 2.3.3, Go). Source: OSV.dev.

How do I fix CVE-2026-27944?

The vendor has published a patch — see the "Vendor Patch" link in the references section. If you cannot patch immediately, review mitigation guidance in this advisory and monitor for exploitation attempts.

Critical (9.8) Thursday, March 5, 2026

Nginx Vulnerability (CVE-2026-27944) [PoC]

CVE-2026-27944

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt t...

Affected: Nginx

Overview

A critical security vulnerability has been identified in Nginx UI, a web-based management interface for the Nginx web server. This flaw allows an unauthenticated attacker to download and decrypt the complete system backup, exposing highly sensitive information.

Vulnerability Details

In versions prior to 2.3.3, the Nginx UI /api/backup endpoint was improperly accessible without any login or authentication. When accessed, this endpoint not only provides a full system backup file but also includes the encryption keys needed to decrypt it within the X-Backup-Security HTTP response header. This means an attacker can easily obtain the backup and the key to unlock it in a single step.

Impact

The impact of this vulnerability is severe. A successful exploit grants an attacker access to a complete backup containing:

User credentials and session tokens
SSL/TLS private keys
All Nginx configuration files
Other sensitive application data stored by the interface With this information, an attacker can compromise the web server, impersonate the service, steal user data, and move laterally to other systems within the network. The ease of exploitation-requiring no authentication or advanced skills-contributes to its critical severity.

Remediation and Mitigation

The primary and most urgent action is to update the software.

Immediate Upgrade: Upgrade Nginx UI to version 2.3.3 or later immediately. This version contains the patch that secures the backup endpoint.
Restrict Network Access: If an immediate upgrade is not possible, restrict network access to the Nginx UI administration interface. Ensure it is not exposed to the public internet and is only accessible from trusted, internal networks.
Rotate Exposed Credentials: If you suspect your instance may have been compromised, you must rotate all credentials and certificates that were managed by Nginx UI. This includes SSL/TLS keys, API keys, and system user passwords.
Verify Backups: Ensure that any backup files previously generated by the vulnerable version are stored securely, as they may now be at risk if they were exposed via this flaw.

Summary

This critical vulnerability in Nginx UI poses a significant risk to system confidentiality and integrity. Administrators should treat this with high priority, applying the available patch without delay to prevent unauthorized access and potential large-scale data theft.

Never miss a critical vulnerability

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Am I Affected by CVE-2026-27944?

Pick an ecosystem, paste your installed version, and we'll compare it against the fixed version published on OSV.dev. Browser-only — nothing is sent to a server.

Heuristic comparison only. Always cross-check against the vendor advisory before making patching decisions.

Public PoC References

Unverified third-party code

These repositories are publicly listed on GitHub and have not been audited by Yazoul Security. They may contain malware, backdoors, destructive payloads, or operational security risks (telemetry, exfiltration). Treat them as hostile binaries. Inspect source before execution. Run only in isolated, disposable lab environments (offline VM, no credentials, no production data).

Authorized use only. This information is provided for defensive research, detection engineering, and patch validation. Using exploit code against systems you do not own or do not have explicit written permission to test is illegal in most jurisdictions and violates Yazoul's terms of use.

Repository	Stars	Last Push
NULL200OK/CVE-2026-27944 CVE-2026-27944 - Nginx UI Unauthenticated Backup Download & Decryption	★ 4	2026-03-10
Skynoxk/CVE-2026-27944 Automated exploit script for CVE-2026-27944 (Nginx UI). Downloads/decrypts backups, extracts system secrets, and creates rogue admin accounts for full dashboard access.	★ 4	2026-03-14
Goultarde/CVE-2026-27944-poc poc for CVE-2026-27944	★ 0	2026-04-02

Showing 3 of 3 known references. Source: nomi-sec/PoC-in-GitHub.

Related Advisories

High (8.8) Mar 9

CVE-2026-3288

A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/rewrite-target` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary co...

Critical (9.8) Mar 30

CVE-2026-33032

Nginx UI is a web user interface for the Nginx web server. In versions 2.3.5 and prior, the nginx-ui MCP (Model Context Protocol) integration exposes two HTTP endpoints: /mcp and /mcp_message. While /...

Critical (9.1) Apr 14

CVE-2026-40289

PraisonAI is a multi-agent teams system. In versions below 4.5.139 of PraisonAI and 1.5.140 of praisonaiagents, the browser bridge (praisonai browser start) is vulnerable to unauthenticated remote ses...

Critical (9.1) Apr 3

CVE-2026-32211

Missing authentication for critical function in Azure MCP Server allows an unauthorized attacker to disclose information over a network....

Other Nginx Vulnerabilities