CVE-2026-27811
Received Received - Intake
Command Injection in Roxy-WI Allows Authenticated Remote Code Execution

Publication date: 2026-03-18

Last updated on: 2026-03-19

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-18
Last Modified
2026-03-19
Generated
2026-06-16
AI Q&A
2026-03-18
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27811
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have severe impacts including allowing an authenticated attacker to execute arbitrary system commands as root on the server hosting roxy-wi. This can lead to full system compromise, including unauthorized access to sensitive data, modification or deletion of files, disruption of services, and potentially using the compromised system as a pivot point for further attacks.

Executive Summary

CVE-2026-27811 is a command injection vulnerability in the roxy-wi web interface, which manages Haproxy, Nginx, Apache, and Keepalived servers. The flaw exists in the `/config/compare/<service>/<server_ip>/show` endpoint, where authenticated users can supply input parameters that are directly used to construct shell commands without proper sanitization. This allows attackers to inject and execute arbitrary system commands on the host running the application.

The vulnerability arises because user inputs representing configuration file names are concatenated into a shell command string executed with shell=true, enabling command injection. Exploitation requires valid user credentials with access to the service, but once exploited, it allows full system compromise with root privileges.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to exploit the command injection flaw in the `/config/compare/<service>/<server_ip>/show` endpoint of the roxy-wi application. Authenticated users can test by sending crafted requests with malicious `left` or `right` parameters that include shell commands.'}, {'type': 'paragraph', 'content': 'For example, sending a JSON payload with "left": "; id; whoami; #" and an empty "right" parameter to the endpoint can reveal if arbitrary commands are executed and their output returned.'}, {'type': 'paragraph', 'content': 'Detection commands or steps include using curl or similar tools to send authenticated POST requests to the vulnerable endpoint with payloads designed to execute simple commands like `id` or `whoami` and checking the response for command output.'}, {'type': 'list_item', 'content': 'Use curl to send a test payload: curl -X POST -H "Content-Type: application/json" -d \'{"left": "; id; whoami; #", "right": ""}\' https://<roxy-wi-host>/config/compare/haproxy/<server_ip>/show --cookie "auth_cookie=your_auth_token"'}, {'type': 'list_item', 'content': 'Check the JSON response for output of the injected commands such as user identity and system information.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading roxy-wi to version 8.2.6.3 or later, where the vulnerability has been fixed by adding input validation, improved error handling, and safer subprocess execution.'}, {'type': 'paragraph', 'content': 'If upgrading is not immediately possible, restrict access to the vulnerable endpoint to trusted users only, and monitor for suspicious activity involving the `/config/compare` endpoint.'}, {'type': 'paragraph', 'content': 'Additional mitigation recommendations include validating that file paths exist and are legitimate, escaping user inputs properly using functions like `shlex.quote`, and modifying subprocess calls to avoid shell interpretation.'}, {'type': 'list_item', 'content': 'Upgrade roxy-wi to version 8.2.6.3 or newer.'}, {'type': 'list_item', 'content': 'Restrict access to the `/config/compare/<service>/<server_ip>/show` endpoint to authenticated and trusted users.'}, {'type': 'list_item', 'content': 'Implement input validation to block malicious inputs such as those containing ".." or shell metacharacters.'}, {'type': 'list_item', 'content': 'Use proper escaping (e.g., `shlex.quote`) for user inputs before passing them to shell commands.'}, {'type': 'list_item', 'content': 'Modify subprocess execution to use argument lists instead of shell strings to prevent shell injection.'}] [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27811. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart