CVE-2026-27944 is a CVSS 9.1 unauthenticated information disclosure vulnerability in the Nginx UI management interface that allows any remote attacker to download and decrypt server backup archives without credentials, exposing configuration files, encryption keys, TLS certificates, and embedded secrets. No active exploitation has been confirmed in CISA KEV, but the unauthenticated network-accessible attack vector and EPSS at the 77th percentile warrant priority remediation. Organizations should patch immediately, restrict network access to the Nginx UI management interface to trusted IPs, and audit backup contents, treating any exposure as full credential compromise requiring rotation.