An unauthenticated remote attacker can download and decrypt full system backups of Nginx UI, resulting in the total compromise of sensitive credentials, SSL private keys, and server configurations.

This vulnerability is an authentication bypass and sensitive information disclosure located at the /api/backup endpoint. An unauthenticated attacker can retrieve encryption keys from the X-Backup-Security response header, allowing for the immediate decryption of hijacked system backups.

A successful exploit poses a catastrophic risk to organizational security, as backups contain session tokens, user credentials, and SSL private keys. Exposure of this data allows for impersonation, man-in-the-middle attacks, and persistent unauthorized access to the Nginx infrastructure. The CVSS score of 9.8 reflects the critical nature of this flaw due to the lack of required authentication and the high impact on confidentiality and integrity.

Immediate Action: Update Nginx UI to version 2.3.3 or later immediately to close the unauthenticated endpoint and secure the backup process.

Proactive Monitoring: Review web server access logs for unauthorized GET requests to the /api/backup endpoint and inspect headers in historical traffic if possible.

Compensating Controls: Restrict access to the Nginx UI management interface using IP allowlisting or a VPN to prevent exposure to the public internet.

Public Exploit Available: false

The severity of this vulnerability cannot be overstated, as it provides a direct path to full system compromise. IT administrators must prioritize the update to version 2.3.3 immediately. Following the update, it is strongly recommended to rotate all SSL keys and user credentials that were stored within the Nginx UI environment, as they should be considered compromised.