CVE-2026-27944 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: March 5, 2026
Nginx UI - Information Disclosure
Published: March 5, 2026Updated: March 5, 2026Remote Exploitable
Overview
Nginx UI < 2.3.3 contains an information disclosure vulnerability caused by unauthenticated access to /api/backup endpoint exposing encryption keys in X-Backup-Security header, letting unauthenticated attackers download and decrypt full system backups.
Severity & Score
Severity: Critical
CVSS Score: 9.8
EPSS Score: 103.5%(Probability of exploitation in next 30 days)
Impact
Unauthenticated attackers can access and decrypt full system backups, exposing sensitive data including credentials and private keys.
Mitigation
Upgrade to version 2.3.3 or later.
Social Media Activity(1 post)
Patrick C Miller :donor:
@patrickcmiller
Critical Nginx UI flaw CVE-2026-27944 exposes server backups https://securityaffairs.com/189123/security/critical-nginx-ui-flaw-cve-2026-27944-exposes-server-backups.html
View original postGitHub Repositories(3 repos)
Related Resources
Details
- CVE ID
- CVE-2026-27944
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 103.5%
- Nuclei
- Available
- Social Posts
- 1
CWE
- CWE-306
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score
103.5%Probability of exploitation in the next 30 days