Share
## https://sploitus.com/exploit?id=966BABA2-BC3F-5066-AAD0-E353928EB863
# CVE-2026-27944 - Nginx-UI Unauthenticated Backup Download
[](https://nvd.nist.gov/vuln/detail/CVE-2026-27944)
[-critical.svg)](https://www.first.org/cvss/calculator/3.1)
[](https://github.com/advisories/GHSA-g9w5-qffc-6762)
> ๐จ **Critical Vulnerability Lab** - Unauthenticated Backup Download with Encryption Key Disclosure in Nginx-UI
---
## ๐ Overview
This repository contains a fully functional lab environment to demonstrate **CVE-2026-27944**, a critical vulnerability affecting Nginx-UI versions
cd CVENginix/lab
# Option 1: Local execution
pip install -r requirements.txt
python3 app/server.py
# Option 2: Docker
docker-compose up -d
```
### Running the Exploit
```bash
# In a new terminal
python3 exploits/poc.py --target http://localhost:9000 --decrypt
```

---
## ๐ Repository Structure
```
CVENginix/
โโโ lab/ # Vulnerable lab environment
โ โโโ app/
โ โ โโโ server.py # Vulnerable server implementation
โ โโโ exploits/
โ โ โโโ poc.py # Proof-of-concept exploit
โ โโโ screenshots/ # Demo screenshots
โ โโโ docker-compose.yml # Docker orchestration
โ โโโ Dockerfile # Container image
โ โโโ requirements.txt # Python dependencies
โ โโโ README.md # Detailed lab documentation
โโโ screenshots/ # Root screenshots
โโโ README.md # This file
```
---
## ๐ฏ Capture The Flag
The lab includes 3 hidden flags to verify successful exploitation:
| Flag | Description |
|------|-------------|
| `CTF{unauthenticated_backup_access_granted}` | Database access |
| `CTF{nginx_config_exposed}` | Nginx configuration |
| `CTF{ssl_private_key_compromised}` | SSL private key |
---
## ๐ Impact Assessment
### What Attackers Can Access
```
backup.zip (decrypted)
โ
โโโ database.db
โ โโโ User credentials (hashed passwords)
โ โโโ Session tokens
โ โโโ API keys (live production keys)
โ
โโโ app.ini
โ โโโ JWT signing secrets
โ โโโ SMTP credentials
โ โโโ AWS access keys
โ
โโโ nginx.conf
โ โโโ Server configuration
โ โโโ Internal network topology
โ
โโโ ssl/
โโโ server.key (RSA private key)
โโโ server.crt
```
### Attack Chain
```mermaid
graph LR
A[Unauthenticated Request] --> B[/api/backup]
B --> C[Encrypted Backup + Keys in Header]
C --> D[Decrypt with Exposed Keys]
D --> E[Extract Sensitive Data]
E --> F[Full System Compromise]
```
---
## ๐ก๏ธ Mitigation
### Immediate Actions
1. **Upgrade** to nginx-ui โฅ 2.3.3
2. **Rotate** all exposed credentials if compromised
3. **Revoke** any leaked API keys
4. **Regenerate** SSL certificates if keys were exposed
### Code Fix
```go
// Before (Vulnerable)
r.GET("/backup", CreateBackup) // โ No auth
// After (Fixed)
r.GET("/backup", middleware.Auth(), CreateBackup) // โ Auth required
// Remove key disclosure from response
// Store keys server-side or use envelope encryption
```
---
## ๐ References
- [NVD - CVE-2026-27944](https://nvd.nist.gov/vuln/detail/CVE-2026-27944)
- [GitHub Advisory - GHSA-g9w5-qffc-6762](https://github.com/advisories/GHSA-g9w5-qffc-6762)
- [CWE-306: Missing Authentication](https://cwe.mitre.org/data/definitions/306.html)
- [CWE-311: Missing Encryption](https://cwe.mitre.org/data/definitions/311.html)
---
## โ ๏ธ Legal Disclaimer
This repository is for **educational and research purposes only**.
- โ
Use for learning about security vulnerabilities
- โ
Use in controlled lab environments
- โ
Use with proper authorization
- โ Do NOT use against systems you don't own
- โ Do NOT use in production environments
---
## ๐ License
MIT License - See [LICENSE](LICENSE) for details.
---
## ๐ Acknowledgments
- Vulnerability discovered by **0xJacky**
- Original advisory: [GHSA-g9w5-qffc-6762](https://github.com/advisories/GHSA-g9w5-qffc-6762)