Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.
Published: 2026-04-20
Score: 5.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Apply Patch
AI Analysis

Impact

The vulnerability lies in the POST /config/<service>/show endpoint of Roxy‑WI prior to version 8.2.6.4. The endpoint accepts a configver parameter that is concatenated with a fixed base directory path to build a local file path. The code does not validate the configver value, allowing an authenticated user to supply paths containing '..' sequences. This permits the attacker to traverse directories and read arbitrary files accessible to the web application process. The primary impact is confidential data disclosure as the attacker can read arbitrary files on the server. This weakness corresponds to CWE-24 Path Traversal.

Affected Systems

Roxy‑WI, a web management interface for Haproxy, Nginx, Apache and Keepalived. The affected product is roxy-wi:roxy-wi. Versions prior to 8.2.6.4 are vulnerable. Users running any earlier release of Roxy‑WI that provides the /config/<service>/show API endpoint should validate that the configver parameter is sanitized.

Risk and Exploitability

The CVSS score of 5.7 indicates a moderate severity. Exploitation requires authenticated access to the web interface, but the control plane is typically reserved for administrators, increasing the potential value of disclosed data. No EPSS score is available; the vulnerability is not listed in CISA KEV, suggesting no public exploits yet. The attack propagates through the web application layer, potentially exposing configuration files, logs or other sensitive content that the web process can read. The attacker must be able to authenticate and then submit a crafted configver value to the API. Due to the lack of remote code execution, the exploitation risk is confined to data disclosure rather than full system compromise.

Generated by OpenCVE AI on April 21, 2026 at 00:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roxy‑WI to version 8.2.6.4 or later where the path traversal check has been added.
  • Restrict access to the /config/<service>/show API to trusted administrative accounts only and enforce strict authentication controls.
  • Review file permissions on the server to ensure that sensitive files are not readable by the web application process, and audit web server logs for unusual access attempts.

Generated by OpenCVE AI on April 21, 2026 at 00:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 21 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.
Title Roxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer
Weaknesses CWE-24
References
Metrics cvssV4_0

{'score': 5.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T13:42:19.802Z

Reserved: 2026-03-19T18:45:22.435Z

Link: CVE-2026-33431

cve-icon Vulnrichment

Updated: 2026-04-21T13:42:06.141Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-20T21:16:34.823

Modified: 2026-04-21T16:20:24.180

Link: CVE-2026-33431

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses