CVE Catalog

CVE-2026-45556

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.07%

23th percentile — higher than 23% of all known CVEs

Summary

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the config_file_name field in the POST request /waf/<service>/<server_ip>/rule/<rule_id>/save is not properly validated, allowing an attacker to write files to any location on the load balancer's filesystem.

Risk Assessment

An attacker can inject malicious code into the crontab, resulting in remote code execution (RCE) with root privileges on every load balancer managed by the attacker's group. This poses a significant security threat to the infrastructure.

Recommendation

It is recommended to update Roxy-WI to the latest version that includes security patches. Additionally, implement further validation mechanisms and access restrictions to critical system paths.

Original NVD description (English source)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root — full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS