Threat actors are already snooping around a recently disclosed vulnerability in the user interface of the popular open-source web server, Nginx.
CVE-2026-27944 was only disclosed on 5 March and could allow an unauthenticated attacker to download and decrypt full server backups, with the potential for credentials, configuration data, and encryption keys to be compromised.
The issue impacts versions of the UI before 2.3.3 and has been patched in that version. This critical-severity vulnerability is due to the combination of two security flaws: missing authentication on api/backup endpoint, and encryption keys disclosed in HTTP response headers.
A proof of concept for exploitation already exists.
According to watchTowr’s head of proactive threat intelligence, Ryan Dewhurst, this is one to watch and to patch immediately.
“The latest critical vulnerability in Nginx UI (CVE-2026-27944, CVSS score of 9.8) is yet another flaw attackers love: simple, unauthenticated, and exploitable with a single request,” Dewhurst told Cyber Daily.
“The flaw presents a serious risk, potentially exposing sensitive configuration information, credentials, and encryption keys.”
Dewhurst noted that watchTowr’s honeypot network has already detected probes targeting the vulnerable API endpoint over the last four days, with the potential hackers “aiming to identify and exploit vulnerable hosts”.
“While the blast radius is more targeted, exploitation is likely imminent,” Dewhurst said.
“Fortunately, it’s Nginx UI, not Nginx itself, but for organisations running affected versions, the advice remains clear: patch immediately. And for those who need to hear it, consider this a timely reminder: management interfaces don’t belong on the public internet.”
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.