CVE-2026-45569
Received Received - Intake
Path Traversal in Roxy-WI Web Interface

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment β€” '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45569
EUVD
EUVD-2026-36065
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-45569 vulnerability affects Roxy-WI versions 8.2.6.4 and earlier. It is a path-traversal flaw caused by an incorrect security check in the code that was intended to block malicious path inputs. The check uses tuple membership to detect the string '..', but this method only matches exact strings and fails to detect realistic path-traversal payloads like '../../etc/passwd'. As a result, attackers can bypass the validation and access arbitrary files on the server.

This vulnerability arises from a bug in the file app/modules/config/config.py at line 462, where the check `if '..' in (configs_dir, config_file_name, configver)` is used incorrectly. Because of this, path-traversal payloads are not blocked, allowing unauthorized file reads.

Impact Analysis

This vulnerability allows an authenticated attacker with a low-privilege role (role level 3 or lower) to read arbitrary files on the Roxy-WI host. This includes sensitive files such as the JWT private key, SSH private keys, and configuration secrets.

The impact is primarily on confidentiality and integrity, as attackers can access sensitive information that could be used to further compromise the system or impersonate users.

Detection Guidance

This vulnerability can be detected by checking if the Roxy-WI instance is running a vulnerable version (8.2.6.4 or prior) and by testing the path-traversal flaw via the POST endpoint `/config/versions/<service>/<server_ip>/<configver>/save`.

You can attempt to exploit the vulnerability by sending crafted POST requests containing path-traversal payloads such as `../../etc/passwd` to see if arbitrary files can be accessed.

For detection on the system, you can check the version of Roxy-WI installed and inspect the file `app/modules/config/config.py` around line 462 to see if the faulty tuple-membership check is present.

  • Use curl or similar tools to send a POST request to the vulnerable endpoint with a payload attempting path traversal, for example:
  • curl -X POST -d 'configver=../../etc/passwd' https://<roxy-wi-host>/config/versions/<service>/<server_ip>/../../etc/passwd/save
  • Check Roxy-WI version via its interface or by inspecting installed package versions.
Mitigation Strategies

Since no public patches are available at the time of publication, immediate mitigation involves restricting access to the vulnerable Roxy-WI instance, especially the POST `/config/versions/<service>/<server_ip>/<configver>/save` endpoint.

Limit the roles and users who can access this endpoint to only trusted administrators with the highest privileges.

Implement network-level controls such as firewall rules or VPN access to restrict external access to the Roxy-WI management interface.

Monitor logs for suspicious POST requests containing path-traversal payloads.

As a longer-term fix, update the code to replace the tuple-membership check with proper substring containment or path normalization using functions like `os.path.realpath()` in `app/modules/config/config.py` at line 462.

Compliance Impact

The CVE-2026-45569 vulnerability allows authenticated attackers with low privileges to read arbitrary files on the Roxy-WI host, including sensitive files such as private keys and configuration secrets. This unauthorized access to sensitive data can lead to breaches of confidentiality and integrity.

Such exposure of sensitive information can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict protection of personal and sensitive data. The vulnerability increases the risk of data breaches and unauthorized data disclosure, potentially leading to non-compliance with these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45569. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart