CVE-2026-45566
Received Received - Intake
Open Redirect in Roxy-WI Web Interface

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. [email protected]/path produces https://[email protected]/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45566
EUVD
EUVD-2026-36063
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
roxy-wi roxy-wi *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-45566 vulnerability affects the Roxy-WI application, specifically versions 8.2.6.4 and earlier. It is an open redirect issue in the login flow where the application uses a "next" parameter to redirect users after login.

The application tries to block URLs containing "http://" or "https://" to prevent malicious redirects, but it fails to consider the userinfo@host syntax (basic-auth style URLs). For example, a crafted input like "[email protected]/path" results in a URL that browsers interpret as redirecting to the attacker's domain.

This flaw allows attackers to bypass the URL block and redirect users to attacker-controlled domains after login, potentially enabling phishing or credential harvesting attacks.

Impact Analysis

This vulnerability can impact you by allowing attackers to redirect users to malicious websites after a legitimate login on Roxy-WI.

Such redirects can be used for phishing attacks, where users are tricked into entering sensitive information on attacker-controlled sites, or for credential harvesting.

The vulnerability has a medium severity score (CVSS 6.1) and requires user interaction, meaning users must follow the malicious link for the attack to succeed.

Detection Guidance

This vulnerability can be detected by monitoring and analyzing the login requests to the Roxy-WI application, specifically looking at the "next" parameter in the /login endpoint.

You can search for login URLs where the "next" parameter contains suspicious patterns that bypass the block, such as strings including "@" before a domain (userinfo@host syntax), or URLs starting with "https://", "http://", or "//".

Example commands to detect such attempts in web server logs or network traffic include:

  • Using grep to find suspicious "next" parameters in logs: grep -E 'next=.*(@|https?://|//)' /path/to/roxy-wi/access.log
  • Using tcpdump or Wireshark to capture HTTP requests and filter for the "next" parameter containing '@' or URL schemes.
  • Using a web application firewall (WAF) or IDS rules to alert on login requests with "next" parameters containing userinfo@host patterns or URL schemes.
Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps include:

  • Implement strict validation on the "next" parameter in the login flow to reject any input containing userinfo@host syntax (e.g., strings with '@' before the domain).
  • Temporarily disable or restrict the use of the "next" parameter in login redirects if possible.
  • Monitor and block suspicious login requests that attempt to exploit this open redirect vulnerability.
  • Educate users about phishing risks and encourage vigilance when clicking login links.

A proposed patch involves using proper URL parsing (e.g., Python's urllib.parse.urlparse) to validate the "next" URL before redirection, which should be applied once available.

Compliance Impact

The vulnerability in Roxy-WI allows attackers to redirect users to malicious domains after login, which can facilitate phishing attacks or credential harvesting.

Such attacks can lead to unauthorized access to user credentials and potentially sensitive data, which may result in violations of data protection regulations like GDPR or HIPAA that require safeguarding user information and preventing unauthorized access.

Therefore, this vulnerability could negatively impact compliance with these standards by exposing users to risks of data breaches and unauthorized data disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart