Detections
Analytics
Nginx UI < 2.3.3 Sensitive Information Disclosure
critical Web App Scanning Plugin ID 115158
Language:
Synopsis
Nginx UI < 2.3.3 Sensitive Information DisclosureDescription
Nginx UI version below 2.3.3 contains a critical sensitive information disclosure vulnerability that allows unauthenticated attackers to access the /api/backup endpoint and retrieve encryption keys from the X-Backup-Security response header. This enables attackers to download and decrypt full system backups, exposing sensitive data such as user credentials, session tokens, SSL private keys, and Nginx configurations.Solution
Upgrade to Nginx UI version 2.3.3 or later.See Also
https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762
Plugin Details
Severity: Critical
ID: 115158
Type: remote
Family: Component Vulnerability
Published: 3/10/2026
Updated: 3/10/2026
Scan Template: basic, full, pci, scan
Risk Information
VPR
Risk Factor: High
Score: 8.4
CVSS v2
Risk Factor: Critical
Base Score: 10
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2026-27944
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score Source: CVE-2026-27944
Vulnerability Information
CPE: cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/15/2026
Vulnerability Publication Date: 3/4/2026
Reference Information
CVE: CVE-2026-27944
OWASP: 2010-A3, 2013-A2, 2013-A9, 2017-A2, 2017-A9, 2021-A6, 2021-A7, 2025-A4, 2025-A6, 2025-A7
WASC: Application Misconfiguration, Credential/Session Prediction, Insufficient Authentication
DISA STIG: APSC-DV-000460, APSC-DV-002250, APSC-DV-002630
HIPAA: 164.306(a)(1), 164.306(a)(2), 164.312(a), 164.312(e)
ISO: 27001-A.14.2.5, 27001-A.9.1.2, 27001-A.9.2.1, 27001-A.9.2.3, 27001-A.9.4.4, 27001-A.9.4.5
NIST: sp800_53-AC-6(1), sp800_53-CM-6b, sp800_53-IA-2(8)
OWASP API: 2019-API7, 2023-API8
OWASP ASVS: 4.0.2-14.2.1, 4.0.2-3.2.1, 4.0.2-3.7.1
PCI-DSS: 3.2-6.2, 3.2-6.5.10