A newly disclosed vulnerability in Nginx UI, tracked as CVE-2026-27944, has raised major security concerns after researchers confirmed that attackers can download and decrypt server backups without authentication. The flaw, which carries a CVSS score of 9.8, represents a critical security risk for organizations that expose their Nginx UI management interface to the public internet. 

Security researchers attribute the issue primarily to CWE-306 (Missing Authentication for Critical Function), along with improper handling of encryption data. When exploited, CVE-2026-27944 allows unauthenticated attackers to retrieve sensitive backup archives and decrypt them immediately, potentially exposing...