CVE-2026-33431
Received Received - Intake
Path Traversal in Roxy-WI API Allows Arbitrary File Read

Publication date: 2026-04-20

Last updated on: 2026-04-24

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-20
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-21
EPSS Evaluated
2026-06-15
NVD
CVE-2026-33431
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-24 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize "../" sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

An attacker who is authenticated to the Roxy-WI interface can exploit this vulnerability to read arbitrary files on the server. This can lead to exposure of sensitive information such as configuration files, credentials, or other data accessible to the web application process.

Such unauthorized file access can compromise the confidentiality of the system and potentially aid further attacks or unauthorized access.

Mitigation Strategies

To mitigate this vulnerability, upgrade Roxy-WI to version 8.2.6.4 or later, which contains a patch that properly validates the configver parameter to prevent path traversal.

Executive Summary

This vulnerability exists in Roxy-WI, a web interface used to manage servers like Haproxy, Nginx, Apache, and Keepalived. Before version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a parameter called configver, which is used to build a file path. However, the application only checks the base directory path (which is safe) and does not validate the user-supplied configver parameter.

Because the configver parameter is not properly validated, an authenticated attacker can include directory traversal sequences such as '../' to escape the intended directory and access arbitrary files on the server that the web application process can read.

This issue was fixed in version 8.2.6.4 by patching the way the configver parameter is handled.

Detection Guidance

This vulnerability involves the POST /config/<service>/show API endpoint in Roxy-WI prior to version 8.2.6.4, where the configver parameter is vulnerable to path traversal attacks allowing an authenticated attacker to read arbitrary files.

To detect this vulnerability on your system, you can attempt to send an authenticated POST request to the /config/<service>/show endpoint with a configver parameter containing path traversal sequences such as '../' and observe if the response includes contents of files outside the intended directory.

Example command using curl (replace <service>, <username>, and <password> accordingly):

  • curl -X POST -u <username>:<password> -d "configver=../../../../etc/passwd" https://<roxy-wi-host>/config/<service>/show

If the response contains the contents of /etc/passwd or other sensitive files, the system is vulnerable.

Compliance Impact

The vulnerability allows an authenticated attacker to perform a path traversal attack and read arbitrary files accessible to the web application process. This unauthorized access to potentially sensitive files could lead to exposure of personal or protected data.

Such unauthorized data access may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized disclosure.

However, the provided information does not explicitly describe the specific compliance implications or whether any regulated data is at risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33431. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart