A critical vulnerability in the Nginx UI, tracked as CVE-2026-27944, is actively being exploited in the wild, posing a severe threat to web servers using this interface. The flaw, which has a CVSS score of 9.8, allows unauthenticated attackers to access sensitive server backups by exploiting an insecure endpoint.
The vulnerability resides in the /api/backup endpoint of the Nginx UI, a web interface for managing the Nginx web server. Prior to version 2.3.3, this endpoint is accessible without authentication, exposing encryption keys in the X-Backup-Security response header. These keys are crucial for decrypting server backups, effectively allowing attackers to download and access sensitive data without any credentials.
The flaw has been categorized under CWE-306 (Missing Authentication for Critical Function) and CWE-311 (Missing Encryption of Sensitive Data), highlighting the absence of necessary security measures in handling backup data. The exploitation of this vulnerability was observed within 13 days of its disclosure, underscoring the urgency for affected users to address the issue.
Proof-of-concept (PoC) exploits for CVE-2026-27944 are readily available, with at least four different PoCs circulating among threat actors. This availability significantly lowers the barrier for exploitation, making it imperative for organizations using the Nginx UI to upgrade to version 2.3.3 or later, where the vulnerability has been patched.
Given the critical nature of this vulnerability and its active exploitation, organizations are advised to immediately assess their exposure to CVE-2026-27944. Those using vulnerable versions of the Nginx UI should prioritize updating to the latest version to mitigate potential data breaches. Additionally, reviewing access logs for any unauthorized access attempts to the /api/backup endpoint can help identify potential compromises.
The Security Severity Vulnerability Classification (SSVC) for this flaw is marked as 'attend,' indicating that immediate action is required to address the risk. With an Exploit Prediction Scoring System (EPSS) score of 0.074, the likelihood of exploitation is moderate, but the impact of a successful attack is severe, given the potential exposure of sensitive backup data.
As attackers continue to exploit this vulnerability, the cybersecurity community emphasizes the importance of maintaining up-to-date software and implementing robust authentication mechanisms to protect critical infrastructure from unauthorized access.
CSURFACE