Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file read vulnerability. Version 8.2.6.4 fixes the issue.
Published: 2026-04-24
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Patch Now
AI Analysis

Impact

Roxy‑WI allows an arbitrary file read through the "oldconfig" parameter of the haproxy_section_save endpoint, enabling attackers to read any local file on the host and potentially expose sensitive configuration, credentials, or other privileged data. This remote file disclosure flaw is defined as CWE‑22 and has a CVSS score of 7.7, indicating high severity for data exposure.

Affected Systems

The vulnerability affects all Roxy‑WI installations running versions earlier than 8.2.6.4; administrators should verify their current release and upgrade if necessary.

Risk and Exploitability

The EPSS score of less than 1% and absence from the CISA KEV catalog indicate a low probability of active exploitation, yet the high CVSS rating means that successful exploitation would give an attacker read access to arbitrary files. The likely attack vector is via the web interface, requiring access to the haproxy_section_save route; compromise of administrative credentials or exposure of the interface would enable exploitation.

Generated by OpenCVE AI on April 28, 2026 at 14:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch by upgrading Roxy‑WI to version 8.2.6.4 or later, which removes the legacy "oldconfig" parameter.
  • Restrict the haproxy_section_save endpoint so that only authenticated administrative users can access it, and disable or remove the "oldconfig" functionality if possible to prevent unintended file reads.
  • Implement monitoring on Roxy‑WI logs to generate alerts for any unexpected file read attempts involving the oldconfig parameter, and investigate such events promptly.

Generated by OpenCVE AI on April 28, 2026 at 14:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
CPEs cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Vendors & Products Roxy-wi
Roxy-wi roxy-wi
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Sat, 25 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the oldconfig parameter in the haproxy_section_save interface has an arbitrary file read vulnerability. Version 8.2.6.4 fixes the issue.
Title Roxy-WI has an arbitrary file read vulnerability
Weaknesses CWE-22
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-25T01:43:15.709Z

Reserved: 2026-03-17T19:27:06.344Z

Link: CVE-2026-33077

cve-icon Vulnrichment

Updated: 2026-04-25T01:42:41.692Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-24T03:16:10.477

Modified: 2026-04-27T15:04:44.910

Link: CVE-2026-33077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T14:30:33Z

Weaknesses