Critical Nginx UI Vulnerability (CVE-2026-27944) Under Active Exploitation
A newly disclosed critical vulnerability in Nginx’s user interface (CVE-2026-27944) is already being probed by threat actors, just days after its public release on 5 March. The flaw, rated 9.8 on the CVSS scale, affects versions of Nginx UI prior to 2.3.3 and stems from two key issues: missing authentication on the api/backup endpoint and encryption keys exposed in HTTP response headers.
Exploitation allows unauthenticated attackers to download and decrypt full server backups, potentially exposing credentials, configuration data, and encryption keys. A proof-of-concept exploit is already available, increasing the risk of widespread attacks.
Security researchers at watchTowr have detected active scanning targeting the vulnerable endpoint over the past four days, with attackers attempting to identify and compromise exposed systems. While the flaw impacts Nginx UI not the core Nginx web server its severity has prompted urgent warnings to patch immediately.
The vulnerability highlights the risks of exposing management interfaces to the public internet, though affected organizations can mitigate the threat by upgrading to Nginx UI 2.3.3 or later.
NGINX cybersecurity rating report: https://www.rankiteo.com/company/nginx
"id": "NGI1773116620",
"linkid": "nginx",
"type": "Vulnerability",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Technology/Internet Infrastructure',
'type': 'Software'}],
'attack_vector': 'Remote',
'data_breach': {'data_encryption': 'Yes (but keys exposed)',
'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials, configuration data, '
'encryption keys'},
'date_publicly_disclosed': '2026-03-05',
'description': 'A newly disclosed critical vulnerability in Nginx’s user '
'interface (CVE-2026-27944) is already being probed by threat '
'actors, just days after its public release. The flaw, rated '
'9.8 on the CVSS scale, affects versions of Nginx UI prior to '
'2.3.3 and stems from two key issues: missing authentication '
'on the `api/backup` endpoint and encryption keys exposed in '
'HTTP response headers. Exploitation allows unauthenticated '
'attackers to download and decrypt full server backups, '
'potentially exposing credentials, configuration data, and '
'encryption keys. A proof-of-concept exploit is already '
'available, increasing the risk of widespread attacks.',
'impact': {'data_compromised': 'Credentials, configuration data, encryption '
'keys',
'systems_affected': 'Nginx UI (versions prior to 2.3.3)'},
'lessons_learned': 'Highlights the risks of exposing management interfaces to '
'the public internet',
'post_incident_analysis': {'corrective_actions': 'Patch vulnerability, '
'restrict access to '
'management interfaces',
'root_causes': 'Missing authentication on '
'`api/backup` endpoint, encryption '
'keys exposed in HTTP response '
'headers'},
'recommendations': 'Upgrade to Nginx UI 2.3.3 or later, avoid exposing '
'management interfaces publicly',
'references': [{'source': 'watchTowr'}],
'response': {'containment_measures': 'Upgrade to Nginx UI 2.3.3 or later',
'remediation_measures': 'Patch vulnerable systems'},
'title': 'Critical Nginx UI Vulnerability (CVE-2026-27944) Under Active '
'Exploitation',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2026-27944'}