Critical Nginx UI Vulnerability Exposes Full System Backups to Unauthenticated Attackers
A critical security vulnerability has been identified in Nginx UI, a widely used web-based interface for managing Nginx servers. This flaw, designated as CVE-2026-27944, allows unauthenticated attackers to download and decrypt full system backups, posing a severe risk to affected systems.
Vulnerability Details
The vulnerability arises from two primary security oversights in the Nginx UI’s Go codebase:
1. Lack of Authentication on the Backup Endpoint: The `/api/backup` endpoint does not require authentication, making it accessible to anyone with network access to the server. This contrasts with other management endpoints that are properly secured.
2. Exposure of Encryption Keys: The system inadvertently includes the Base64-encoded AES-256 encryption key and Initialization Vector (IV) in plain text within the `X-Backup-Security` HTTP response header. This disclosure allows attackers to decrypt the downloaded backup files easily.
Exploitation Process
An attacker can exploit this vulnerability by sending a standard GET request to the `/api/backup` endpoint. The server responds with the encrypted backup files and the necessary decryption keys in the HTTP headers. Using these keys, the attacker can decrypt the backup files, gaining access to sensitive system data.
Potential Impact
Once decrypted, the backup files may contain critical information, including:
– User Credentials: Access to the `database.db` file can reveal usernames and passwords, potentially allowing unauthorized access to the system.
– Configuration Files: The `app.ini` configuration file and Nginx configuration files may contain sensitive settings and information about the server’s operation.
– SSL Certificates and Private Keys: Exposure of these files can enable attackers to impersonate the server or decrypt secure communications, facilitating man-in-the-middle attacks.
The availability of a public Proof-of-Concept (PoC) script further exacerbates the risk, as it demonstrates how easily this vulnerability can be exploited using simple tools like Python.
Mitigation Measures
To address this critical vulnerability, administrators should take the following steps:
1. Immediate Upgrade: Update Nginx UI to version 2.3.3 or later, where this vulnerability has been patched.
2. Restrict Access: Implement strict access controls to limit network access to the `/api/backup` endpoint. This can be achieved through firewall rules or by configuring the server to restrict access to trusted internal networks only.
3. Monitor Server Logs: Regularly review server logs for any unauthorized or unexpected GET requests to the `/api/backup` endpoint.
4. Inspect HTTP Responses: Check outgoing HTTP responses for the presence of the `X-Backup-Security` header containing Base64-encoded keys, which indicates potential exposure.
By promptly applying these measures, organizations can mitigate the risks associated with this vulnerability and protect their systems from unauthorized access and data breaches.
