Nginx UI Information Disclosure (CVE-2026-27944)
Description
Nginx UI before version 2.3.3 contains an information disclosure vulnerability in the unauthenticated /api/backup endpoint, which exposes encryption keys via the X-Backup-Security response header. An unauthenticated attacker can use the exposed key to download and decrypt full system backups, gaining access to sensitive data including credentials and private keys.
Remediation
Upgrade to the latest Nginx UI version