CVE-2026-45564
Received Received - Intake
Command Injection in Roxy-WI Web Interface

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45564
EUVD
EUVD-2026-36044
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

CVE-2026-45564 allows an authenticated user with low privileges to execute arbitrary commands on the affected system, leading to high confidentiality, integrity, and availability impacts. Such a compromise can result in unauthorized access to sensitive data, data modification, or service disruption.

These impacts can negatively affect compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, maintaining data integrity, and ensuring system availability.

Specifically, a successful exploit could lead to breaches of confidentiality and integrity of protected data, potentially resulting in regulatory violations and associated penalties.

Executive Summary

CVE-2026-45564 is a high-severity authenticated remote code execution (RCE) vulnerability in Roxy-WI versions 8.2.6.4 and earlier.

The vulnerability exists in the `/config/versions/<service>/<server_ip>/<configver>/save` endpoint, where the `configver` URL parameter is directly inserted into a shell command without proper validation or sanitization.

An authenticated user with a role level of 3 or lower can exploit this by injecting shell metacharacters into the `configver` parameter, leading to arbitrary command execution via the `os.system` call.

This happens because the parameter is not properly validated or escaped, and a previous patch failed to fix this issue.

Impact Analysis

Successful exploitation allows an attacker to execute arbitrary commands on the server as the web server user.

With default sudo configurations permitting passwordless `chown`, the attacker can escalate privileges laterally.

The impact includes high loss of confidentiality, integrity, and availability of the affected system.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious or unexpected HTTP POST requests to the endpoint /config/versions/<service>/<server_ip>/<configver>/save, especially those containing shell metacharacters in the configver parameter.

Commands to detect potential exploitation attempts include inspecting web server logs for POST requests to the vulnerable endpoint with unusual characters, for example using grep:

  • grep -E 'POST /config/versions/.+/.+/.+/save' /var/log/nginx/access.log | grep -E '[;&|`$]'

Additionally, monitoring for unexpected shell command executions or unusual process activity related to dos2unix or os.system calls may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to trusted users only, especially limiting authenticated users with role level 3 or lower.

Avoid using the vulnerable versions of Roxy-WI (8.2.6.4 and earlier) if possible, and monitor for any updates or patches that replace os.system calls with safer alternatives like subprocess.run.

As no public patches are available at the time of publication, consider implementing network-level controls such as firewall rules to block access to the vulnerable endpoint or disabling the affected functionality temporarily.

Review sudo configurations to prevent passwordless privilege escalation that could be leveraged after initial exploitation.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45564. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart