Exploit for Missing Authentication for Critical Function in Nginxui Nginx_Ui
Details
CVSS v3
9.8
NVD published
2026-03-05 19:16:05
EPSS
6.4% probability · 91.0th percentile — 2026-04-17
Affected versions
cpe:2.3:a:nginxui:nginx_ui:*:*:*:*:*:*:*:*
Summary
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.3, the /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately. This issue has been patched in version 2.3.3.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.