Nginx UI – Unauthenticated Backup Download with Encryption Key Disclosure

05/03/2026

The /api/backup endpoint is accessible without authentication and discloses the encryption keys required to decrypt the backup in the X-Backup-Security response header. This allows an unauthenticated attacker to download a full system backup containing sensitive data (user credentials, session tokens, SSL private keys, Nginx configurations) and decrypt it immediately.

Joshua Martinelle Thu, 03/05/2026 – 08:55
– Read more

Monday	08:00 - 17:00
Tuesday	08:00 - 17:00
Wednesday	08:00 - 17:00
Thursday	08:00 - 17:00
Friday	08:00 - 17:00

Nginx UI – Unauthenticated Backup Download with Encryption Key Disclosure

Latest article

Metasploit Wrap-Up 03/06/2026

CVE-2026-26122 Microsoft ACI Confidential Containers Information Disclosure Vulnerability

LexisNexis Hack Exposes 3.9M Records Through Unpatched React Vulnerability

Iran’s MuddyWater Hackers Hit US Firms with New ‘Dindoor’ Backdoor

EDITOR PICKS

Metasploit Wrap-Up 03/06/2026

CVE-2026-26122 Microsoft ACI Confidential Containers Information Disclosure Vulnerability

LexisNexis Hack Exposes 3.9M Records Through Unpatched React Vulnerability

POPULAR POSTS

Threats to users of adult websites in 2018

The World’s Most Popular Coding Language Happens to be Most Hackers’...

IT threat evolution Q2 2019

POPULAR CATEGORY

Metasploit Wrap-Up 03/06/2026

CVE-2026-26122 Microsoft ACI Confidential Containers Information Disclosure Vulnerability

LexisNexis Hack Exposes 3.9M Records Through Unpatched React Vulnerability