Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages — including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Roxy‑WI versions 8.2.6.4 and earlier, the API endpoints that manage HAProxy configuration sections accept an unvalidated JSON "option" field that is rendered directly into the generated HAProxy configuration via Jinja templates. Because the input is neither validated nor escaped, an authenticated user with role level 3 or lower can inject arbitrary HAProxy directives, including external‑check commands that execute arbitrary shell code. This flaw allows the attacker to gain remote code execution on the HAProxy process, running as the haproxy user, each time a health‑check is performed. The vulnerability is caused by improper input validation and results in command, OS command, and code injection, as identified by the listed CWEs.

Affected Systems

The affected product is the Roxy‑WI web interface from roxy‑wi, which manages HAProxy load balancers. All deployments of Roxy‑WI version 8.2.6.4 and older that are used to configure HAProxy are vulnerable. Any user or group that has at least role level 3 access to the HAProxy section‑save API endpoints can exploit the system, potentially affecting all HAProxy instances within that management group.

Risk and Exploitability

The flaw carries a CVSS score of 9.9 and is considered a critical severity, even though the EPSS score is unavailable. It is not listed in the CISA KEV catalog. An attacker only needs to authenticate to the Roxy‑WI interface and send a crafted payload to the section‑save endpoints; no additional privileges on the HAProxy host are required. Once the malicious configuration is pushed and the service reloaded, the injected command executes as the haproxy user on every load‑balancing health‑check, enabling persistent remote code execution that can be leveraged for further lateral movement or data exfiltration.

Generated by OpenCVE AI on June 10, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade or patch Roxy‑WI to a version that sanitizes the option field before inserting it into HAProxy templates once the vendor releases a fix.
  • Restrict Roxy‑WI admin roles so that only users with role level 4 or higher can access the HAProxy section‑save endpoints, eliminating role 3 users from load‑balancer management.
  • Limit network access to the Roxy‑WI API to known, trusted hosts and block outbound connections from HAProxy during external‑check to prevent the execution of malicious scripts.
  • Manually audit and remove any option fields that contain executable directives in the generated HAProxy configuration before reloading the service.

Generated by OpenCVE AI on June 10, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages — including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.
Title Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save
Weaknesses CWE-20
CWE-77
CWE-78
CWE-94
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T15:43:53.271Z

Reserved: 2026-05-12T19:00:14.599Z

Link: CVE-2026-45558

cve-icon Vulnrichment

Updated: 2026-06-10T15:43:36.510Z

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:36.600

Modified: 2026-06-10T16:17:05.940

Link: CVE-2026-45558

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses