CVE-2026-45558
Received Received - Intake
Command Injection in Roxy-WI via HAProxy Config

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≀ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages β€” including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45558
EUVD
EUVD-2026-36039
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
haproxy haproxy *
nginx nginx *
apache http_server *
keepalived keepalived *
roxy-wi roxy-wi 8.2.6.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows authenticated users with low privileges to execute arbitrary code on HAProxy load balancers, potentially leading to full compromise of the load balancer environment.

Such a compromise can result in unauthorized access to sensitive data, including TLS private keys and internal backend services, which may lead to data breaches.

Data breaches and unauthorized access to sensitive information can negatively impact compliance with standards and regulations like GDPR and HIPAA, which require protection of personal and health-related data.

Therefore, exploitation of this vulnerability could cause violations of these regulations due to inadequate security controls and potential exposure of protected data.

Executive Summary

CVE-2026-45558 is a vulnerability in Roxy-WI, a web interface used to manage HAProxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and earlier, the HAProxy section-save endpoints accept a JSON option field that is not validated or escaped. This untrusted input is directly inserted into the HAProxy configuration files via Ansible templates.

Because the configuration is pushed to the load balancer and HAProxy is reloaded, an authenticated user with a role level of 3 or lower (including regular users) can inject arbitrary HAProxy directives. This includes directives like 'option external-check' combined with 'external-check command' that allow remote code execution on the load balancer as the haproxy user during health check intervals.

The root cause is the lack of input validation and escaping in the option fields used in the configuration templates, allowing attackers to inject malicious commands that execute with the privileges of the haproxy user.

Impact Analysis

This vulnerability can lead to full compromise of the HAProxy load balancer managed by Roxy-WI. An attacker with low-level authenticated access can execute arbitrary commands on the load balancer as the haproxy user.

  • Remote code execution on all HAProxy load balancers managed by the attacker's group.
  • Potential access to sensitive data such as TLS private keys.
  • Ability to disclose sensitive files or load malicious Lua scripts.
  • Possibility to launch daemon processes or pivot to other internal hosts if combined with leaked credentials.

The attack requires only low privileges and no user interaction, making it highly dangerous especially in internet-facing deployments.

Detection Guidance

This vulnerability can be detected by inspecting HAProxy configuration files generated by Roxy-WI for injected arbitrary directives, especially those involving the 'option external-check' and 'external-check command' directives. Since the injection occurs via the 'option' field in API requests, checking for unexpected or suspicious entries in the HAProxy config files is key.

One practical approach is to search the HAProxy configuration files for the presence of 'external-check command' directives that execute shell commands. For example, you can run the following command on the load balancer to detect suspicious injected commands:

  • grep -r --include='*.cfg' 'external-check command' /etc/haproxy/

Additionally, monitoring the /tmp directory or other writable locations for unexpected files created by injected commands (e.g., /tmp/pwned.txt) can help detect exploitation attempts.

Network detection can include monitoring for unusual reloads of the HAProxy service (e.g., systemctl reload haproxy) triggered by configuration changes, or unexpected outbound connections initiated by malicious Lua scripts or commands injected via this vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting or disabling the ability of users with role level 3 or lower to modify HAProxy configuration sections via the Roxy-WI interface, as these users can exploit the vulnerability.

Implement input validation to reject newlines and HAProxy-specific characters in the 'option' fields of configuration requests to prevent injection of arbitrary directives.

Avoid using Jinja2 templates that directly interpolate untrusted input for generating HAProxy configuration files. Instead, use safer templating or sanitization methods.

Enforce allow-lists for permitted HAProxy directives in the configuration fields to prevent injection of unauthorized commands.

On the load balancer side, implement syntactic validation of the HAProxy configuration before reloading the service to detect and reject malicious configurations.

Until patches are available, consider limiting access to the Roxy-WI management interface to trusted administrators only and monitor for suspicious activity or configuration changes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45558. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart