CVE-2026-27944

CRITICAL EXPLOITED NUCLEI

nginxui/nginx_ui < 2.3.3 - Unauthenticated Sensitive Data Exposure via Backup Endpoint

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2026-27944 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including iSee857, XiaomingX, NULL200OK. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits an authentication bypass vulnerability in Nginx UI (CVE-2026-27944) by decrypting backup files retrieved from an unauthenticated API endpoint. It leverages AES-256-CBC decryption using keys extracted from the 'X-Backup-Security' header to expose sensitive configuration data.

Description

Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.

Exploits (9)

github WORKING POC 41 stars
by iSee857 · pythonpoc
https://github.com/iSee857/CVE-PoC/tree/main/2026/nginxUi-CVE-2026-27944-AuthenticationMiss.py

This PoC exploits an authentication bypass vulnerability in Nginx UI (CVE-2026-27944) by decrypting backup files retrieved from an unauthenticated API endpoint. It leverages AES-256-CBC decryption using keys extracted from the 'X-Backup-Security' header to expose sensitive configuration data.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Nginx UI (version not specified)
No auth needed
Prerequisites: Access to the target's /api/backup endpoint · Pycryptodome library installed
devstral-2 · analyzed Mar 10, 2026 Full analysis →
github WORKING POC 10 stars
by XiaomingX · pythonpoc
https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-27944

This repository contains a functional Python exploit for CVE-2026-27944, which allows unauthenticated attackers to download and decrypt Nginx UI server backups via the /api/backup endpoint. The exploit includes both scanning and exploitation capabilities, with detailed technical documentation.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Nginx UI <= 2.3.2
No auth needed
Prerequisites: Network access to the target Nginx UI instance · Python 3.x environment · Optional: pycryptodome for decryption
devstral-2 · analyzed Mar 11, 2026 Full analysis →
nomisec WORKING POC 3 stars
by NULL200OK · remote
https://github.com/NULL200OK/CVE-2026-27944

This repository contains a functional Python exploit for CVE-2026-27944, which allows unauthenticated attackers to download and decrypt Nginx UI server backups via the /api/backup endpoint. The exploit includes both scanning and exploitation capabilities, with detailed technical documentation.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Nginx UI <= 2.3.2
No auth needed
Prerequisites: Network access to the target Nginx UI instance · Python 3.x environment · Optional: pycryptodome for decryption
devstral-2 · analyzed Mar 11, 2026 Full analysis →
nomisec WORKING POC 1 stars
by jake-young-dev · infoleak
https://github.com/jake-young-dev/CVE-2026-27944

The PoC exploits CVE-2026-27944 by fetching an nginx-ui backup from a public endpoint and decrypting it using a private key leaked in the response headers. The script decrypts all files in the backup using AES-CBC.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: nginx-ui < 2.3.3
No auth needed
Prerequisites: Access to the vulnerable nginx-ui API endpoint
devstral-2 · analyzed May 07, 2026 Full analysis →
github WORKING POC
by XZ1r0 · pythonpoc
https://github.com/XZ1r0/cve-2026-poc-collection/tree/main/web/CVE-2026-27944

This repository contains a functional exploit for CVE-2026-27944, targeting Nginx UI. The exploit automates the unauthenticated download of encrypted backups, decrypts them using leaked AES keys from HTTP headers, extracts sensitive secrets (JWT Secret, Node Secret), and creates a rogue admin account for full dashboard access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Nginx UI
No auth needed
Prerequisites: Python 3.x · pycryptodome library
devstral-2 · analyzed May 21, 2026 Full analysis →
nomisec WRITEUP
by karimelsheikh1 · poc
https://github.com/karimelsheikh1/HTB-Snapped-Writeup

This is a detailed technical writeup for exploiting CVE-2026-27944 (Nginx UI unauthenticated backup disclosure) and CVE-2026-3888 (snapd race condition LPE) to achieve full system compromise on a Hack The Box machine. It includes step-by-step exploitation details, code snippets, and references.

Classification
Writeup 100%
Attack Type
Info Leak | Lpe
Complexity
Moderate
Reliability
Reliable
Target: Nginx UI (before 2.3.3), snapd (2.63.1+24.04)
No auth needed
Prerequisites: Access to the target machine's network · Basic Linux command-line tools (curl, openssl, sqlite3, hashcat) · Exploit code for CVE-2026-3888
devstral-2 · analyzed May 08, 2026 Full analysis →
nomisec WORKING POC
by Skynoxk · remote
https://github.com/Skynoxk/CVE-2026-27944

This repository contains a functional exploit for CVE-2026-27944, targeting Nginx UI. The exploit automates the download of encrypted backups, decrypts them using leaked AES keys, extracts sensitive secrets, and creates an admin user for dashboard access.

Classification
Working Poc 95%
Attack Type
Info Leak | Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Nginx UI
No auth needed
Prerequisites: Python 3.x · pycryptodome library
devstral-2 · analyzed Mar 14, 2026 Full analysis →
nomisec SCANNER
by NULL200OK · poc
https://github.com/NULL200OK/-nginxui_discover

This repository contains a multi-threaded scanner for detecting Nginx UI instances and identifying those vulnerable to CVE-2026-27944 (versions ≤ 2.3.2). It uses passive fingerprinting and API endpoint probing to determine version and vulnerability status.

Classification
Scanner 95%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: Nginx UI ≤ 2.3.2
No auth needed
Prerequisites: Network access to target hosts · Python 3.6+ with requests library
devstral-2 · analyzed Mar 11, 2026 Full analysis →
nomisec WORKING POC
by weefunker · poc
https://github.com/weefunker/CVE-2026-27944-Lab

This repository contains a fully functional lab environment and exploit for CVE-2026-27944, demonstrating unauthenticated backup download and encryption key disclosure in Nginx-UI versions < 2.3.2. The exploit includes a PoC script that downloads encrypted backups and decrypts them using keys disclosed in response headers.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Nginx-UI < 2.3.2
No auth needed
Prerequisites: Python 3.8+ · Docker (optional) · pycryptodome
devstral-2 · analyzed Mar 10, 2026 Full analysis →

Nuclei Templates (1)

Nginx UI < 2.3.3 - Information Disclosure
CRITICALVERIFIEDby omarkurt
Shodan: http.title:"nginx ui"
FOFA: title="nginx ui"

References (1)

Core 1
Core References

Scores

CVSS v3 9.8
EPSS 0.0731
EPSS Percentile 91.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2026-03-19
CWE
CWE-311 CWE-306
Status published
Products (2)
0xJacky/nginx-ui < 2.3.3
nginxui/nginx_ui < 2.3.3
Published Mar 05, 2026
Tracked Since Mar 06, 2026