Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root — full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roxy‑WI, a web interface for managing load balancer services such as HAProxy, Nginx, Apache, and Keepalived, contains a flaw in the WAF rule save endpoint that allows an authenticated user to supply a config_file_name field. The value is written verbatim to the server’s filesystem, bypassing adequate path checks because the encoded slash translation is performed before the substring validation. An attacker can therefore construct absolute paths that satisfy the limited service substring rules, drop arbitrary files such as cron jobs, and execute code as root on the load balancer. This leads to full remote code execution on any load balancer that the attacker’s account is authorized to manage.

Affected Systems

The vulnerability affects Roxy‑WI versions 8.2.6.4 and earlier. Systems running these versions control HAProxy, Nginx, Apache, or Keepalived services through the Roxy‑WI interface, providing the applicable attack surface.

Risk and Exploitability

The CVSS score of 9.9 indicates a critical severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the Roxy‑WI instance and the ability to POST to the WAF rule save route. Once an attacker gains these credentials, file writes can occur anywhere that matches the service and configuration substrings, allowing them to install cron jobs or other privileged files and achieve root-level code execution.

Generated by OpenCVE AI on June 10, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Temporarily disable or restrict the /waf/<service>/<server_ip>/rule/<rule_id>/save endpoint to prevent arbitrary file writes.
  • Limit administrative access to the Roxy‑WI web interface or the load balancer service to the minimum required users.
  • Monitor the filesystem for unexpected or unauthorized changes, especially in directories like /etc/cron.d or web server configuration folders.
  • Apply an official patch or upgrade Roxy‑WI to a version that removes this vulnerability as soon as it becomes available.

Generated by OpenCVE AI on June 10, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root — full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.
Title Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`
Weaknesses CWE-20
CWE-22
CWE-73
CWE-78
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T14:42:21.071Z

Reserved: 2026-05-12T17:48:47.880Z

Link: CVE-2026-45556

cve-icon Vulnrichment

Updated: 2026-06-10T14:42:03.040Z

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:36.457

Modified: 2026-06-10T16:17:05.173

Link: CVE-2026-45556

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses