Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. next=@evil.example/path produces https://victim.example@evil.example/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The login flow of the Roxy‑WI interface permits a next parameter that, when malformed, can redirect users to an attacker‑controlled domain. URLs are filtered for literal http:// or https:// substrings, but the userinfo@host pattern is not detected. An attacker supplies a value such as @evil.example/path; the server concatenates it with the configured host to form https://victim.example@evil.example/path, which modern browsers interpret as a reference to evil.example. This flaw, classified as CWE‑601, enables attackers to redirect users to phishing sites or other malicious destinations.

Affected Systems

Versions of Roxy‑WI up to and including 8.2.6.4 are affected. The vulnerability originates in the web interface for managing Haproxy, Nginx, Apache and Keepalived servers provided by the Roxy‑WI vendor.

Risk and Exploitability

The CVSS score of 6.1 indicates moderate severity. No EPSS score is available and the instance is not listed in the CISA KEV catalog, suggesting limited or no active exploitation yet. Triggering the redirect requires only the construction of a crafted URL. The CVE description does not specify whether authentication is required for the redirect. Because the redirect occurs client‑side, the threat operates through user interaction and can be leveraged in phishing campaigns, but it does not compromise server state directly.

Generated by OpenCVE AI on June 10, 2026 at 19:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply a vendor‑issued patch for Roxy‑WI as soon as a fix addressing the userinfo@host handling is released.
  • Adjust server input validation so that the next parameter rejects any string containing an '@' character or that does not resolve to the current host and scheme.
  • Deploy a web application firewall rule that blocks or alerts on /login requests with a next argument containing an '@' character or unapproved http:// or https:// substrings.

Generated by OpenCVE AI on June 10, 2026 at 19:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the login flow allow-lists next URLs by rejecting strings containing https:// or http:// substrings, then constructs https://{request.host}{next_url} and the JS client redirects via window.location.replace(). The block does not consider the userinfo@host syntax. next=@evil.example/path produces https://victim.example@evil.example/path, which all modern browsers route to evil.example. At time of publication, there are no publicly available patches.
Title Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass
Weaknesses CWE-601
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T16:05:02.620Z

Reserved: 2026-05-12T19:00:14.599Z

Link: CVE-2026-45566

cve-icon Vulnrichment

Updated: 2026-06-10T16:04:58.455Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T16:17:07.600

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-45566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T20:00:16Z

Weaknesses
  • CWE-601

    URL Redirection to Untrusted Site ('Open Redirect')