Share
## https://sploitus.com/exploit?id=966BABA2-BC3F-5066-AAD0-E353928EB863
# CVE-2026-27944 - Nginx-UI Unauthenticated Backup Download

[![CVE](https://img.shields.io/badge/CVE-2026--27944-red.svg)](https://nvd.nist.gov/vuln/detail/CVE-2026-27944)
[![CVSS](https://img.shields.io/badge/CVSS-9.8%20(Critical)-critical.svg)](https://www.first.org/cvss/calculator/3.1)
[![GHSA](https://img.shields.io/badge/GHSA-g9w5--qffc--6762-orange.svg)](https://github.com/advisories/GHSA-g9w5-qffc-6762)

> ๐Ÿšจ **Critical Vulnerability Lab** - Unauthenticated Backup Download with Encryption Key Disclosure in Nginx-UI

---

## ๐Ÿ“– Overview

This repository contains a fully functional lab environment to demonstrate **CVE-2026-27944**, a critical vulnerability affecting Nginx-UI versions 
cd CVENginix/lab

# Option 1: Local execution
pip install -r requirements.txt
python3 app/server.py

# Option 2: Docker
docker-compose up -d
```

### Running the Exploit

```bash
# In a new terminal
python3 exploits/poc.py --target http://localhost:9000 --decrypt
```

![Server Running](lab/screenshots/server.png)

---

## ๐Ÿ“ Repository Structure

```
CVENginix/
โ”œโ”€โ”€ lab/                          # Vulnerable lab environment
โ”‚   โ”œโ”€โ”€ app/
โ”‚   โ”‚   โ””โ”€โ”€ server.py             # Vulnerable server implementation
โ”‚   โ”œโ”€โ”€ exploits/
โ”‚   โ”‚   โ””โ”€โ”€ poc.py                # Proof-of-concept exploit
โ”‚   โ”œโ”€โ”€ screenshots/              # Demo screenshots
โ”‚   โ”œโ”€โ”€ docker-compose.yml        # Docker orchestration
โ”‚   โ”œโ”€โ”€ Dockerfile                # Container image
โ”‚   โ”œโ”€โ”€ requirements.txt          # Python dependencies
โ”‚   โ””โ”€โ”€ README.md                 # Detailed lab documentation
โ”œโ”€โ”€ screenshots/                  # Root screenshots
โ””โ”€โ”€ README.md                     # This file
```

---

## ๐ŸŽฏ Capture The Flag

The lab includes 3 hidden flags to verify successful exploitation:

| Flag | Description |
|------|-------------|
| `CTF{unauthenticated_backup_access_granted}` | Database access |
| `CTF{nginx_config_exposed}` | Nginx configuration |
| `CTF{ssl_private_key_compromised}` | SSL private key |

---

## ๐Ÿ“Š Impact Assessment

### What Attackers Can Access

```
backup.zip (decrypted)
โ”‚
โ”œโ”€โ”€ database.db
โ”‚   โ”œโ”€โ”€ User credentials (hashed passwords)
โ”‚   โ”œโ”€โ”€ Session tokens
โ”‚   โ””โ”€โ”€ API keys (live production keys)
โ”‚
โ”œโ”€โ”€ app.ini
โ”‚   โ”œโ”€โ”€ JWT signing secrets
โ”‚   โ”œโ”€โ”€ SMTP credentials
โ”‚   โ””โ”€โ”€ AWS access keys
โ”‚
โ”œโ”€โ”€ nginx.conf
โ”‚   โ”œโ”€โ”€ Server configuration
โ”‚   โ””โ”€โ”€ Internal network topology
โ”‚
โ””โ”€โ”€ ssl/
    โ”œโ”€โ”€ server.key (RSA private key)
    โ””โ”€โ”€ server.crt
```

### Attack Chain

```mermaid
graph LR
    A[Unauthenticated Request] --> B[/api/backup]
    B --> C[Encrypted Backup + Keys in Header]
    C --> D[Decrypt with Exposed Keys]
    D --> E[Extract Sensitive Data]
    E --> F[Full System Compromise]
```

---

## ๐Ÿ›ก๏ธ Mitigation

### Immediate Actions

1. **Upgrade** to nginx-ui โ‰ฅ 2.3.3
2. **Rotate** all exposed credentials if compromised
3. **Revoke** any leaked API keys
4. **Regenerate** SSL certificates if keys were exposed

### Code Fix

```go
// Before (Vulnerable)
r.GET("/backup", CreateBackup)  // โŒ No auth

// After (Fixed)
r.GET("/backup", middleware.Auth(), CreateBackup)  // โœ“ Auth required

// Remove key disclosure from response
// Store keys server-side or use envelope encryption
```

---

## ๐Ÿ“š References

- [NVD - CVE-2026-27944](https://nvd.nist.gov/vuln/detail/CVE-2026-27944)
- [GitHub Advisory - GHSA-g9w5-qffc-6762](https://github.com/advisories/GHSA-g9w5-qffc-6762)
- [CWE-306: Missing Authentication](https://cwe.mitre.org/data/definitions/306.html)
- [CWE-311: Missing Encryption](https://cwe.mitre.org/data/definitions/311.html)

---

## โš ๏ธ Legal Disclaimer

This repository is for **educational and research purposes only**.

- โœ… Use for learning about security vulnerabilities
- โœ… Use in controlled lab environments
- โœ… Use with proper authorization
- โŒ Do NOT use against systems you don't own
- โŒ Do NOT use in production environments

---

## ๐Ÿ“ License

MIT License - See [LICENSE](LICENSE) for details.

---

## ๐Ÿ™ Acknowledgments

- Vulnerability discovered by **0xJacky**
- Original advisory: [GHSA-g9w5-qffc-6762](https://github.com/advisories/GHSA-g9w5-qffc-6762)