CVE-2026-45556
Received Received - Intake
Path Traversal in Roxy-WI Leading to Remote Code Execution

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct β†’ check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 β†’ / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root β€” full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45556
EUVD
EUVD-2026-36038
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-73 The product allows user input to control or influence paths or file names that are used in filesystem operations.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Roxy-WI, a web interface for managing load balancers like Haproxy, Nginx, Apache, and Keepalived. In versions 8.2.6.4 and earlier, an authenticated group administrator can exploit insufficient validation of the config_file_name parameter in the WAF rule save functionality. By encoding forward slashes as '92', an attacker can write arbitrary files to any location on the load balancer filesystem.

Specifically, the attacker can write a malicious cron job file to the /etc/cron.d/ directory. Since cron executes these files as root during its periodic scans, this leads to remote code execution (RCE) with root privileges on all load balancers managed by the attacker’s group.

Impact Analysis

This vulnerability allows an authenticated group administrator to gain full remote code execution on all load balancers they manage. The attacker can execute arbitrary commands as root, potentially leading to complete system compromise.

  • Full control over load balancer servers.
  • Ability to execute malicious code with root privileges.
  • Potential disruption or manipulation of network traffic managed by the load balancers.
  • Risk of further lateral movement or persistent access within the network.
Detection Guidance

This vulnerability involves an authenticated arbitrary file write via the config_file_name parameter in the WAF rule save functionality of Roxy-WI. Detection can focus on monitoring for suspicious POST requests to the endpoint /waf/<service>/<server_ip>/rule/<rule_id>/save with unusual config_file_name values that encode slashes as '92', such as '92etc92cron.d92nginx_cfg_evil'.

You can detect exploitation attempts by inspecting web server logs for POST requests containing encoded slashes (92) in the config_file_name parameter.

Additionally, check for unexpected files in cron directories, for example, by running commands like:

  • ls -l /etc/cron.d/
  • grep -r 'nginx_cfg_evil' /etc/cron.d/
  • auditctl -w /etc/cron.d/ -p wa -k cron_watch

Monitoring for new or modified cron files and unusual cron jobs can help detect exploitation.

Mitigation Strategies

Immediate mitigation steps include restricting access to the Roxy-WI interface to trusted administrators only, as exploitation requires authentication with group admin privileges.

Avoid using vulnerable versions of Roxy-WI (versions 8.2.6.4 and prior) and monitor for any updates or patches from the vendor, although at the time of publication no public patches are available.

Implement network-level controls such as firewall rules to limit access to the management interface.

Regularly audit the filesystem, especially cron directories, for unauthorized files or changes.

Consider temporarily disabling or restricting the WAF rule save functionality if possible until a patch is available.

Compliance Impact

The vulnerability allows authenticated group administrators to achieve remote code execution on all managed load balancers by writing arbitrary files, including malicious cron jobs, which execute with root privileges. This can lead to unauthorized access, data manipulation, and full system compromise.

Such a compromise can severely impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and system security. Unauthorized root access and remote code execution violate these principles, potentially leading to data breaches and regulatory non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45556. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart