Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment — '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 8.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A bug in the path‑validation routine of Roxy‑WI allows an attacker to supply a configuration file name that contains relative path components such as '..'. The check uses tuple membership instead of substring containment, which means that realistic traversal payloads like '../../etc/passwd' are accepted. This flaw is described by CWE‑22 and CWE‑697 and would enable the attacker to read arbitrary files on the host, potentially exposing sensitive configuration data or credentials.

Affected Systems

The affected product is Roxy‑WI, version 8.2.6.4 and earlier. These releases contain the buggy validation logic in the config module.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity. No EPSS score is available and it is not listed in the CISA KEV catalog. The likely attack vector is the web interface; based on the description it is inferred that an attacker with authenticated access that can submit configuration updates could exploit the flaw to read any file accessible by the service process, especially if it runs with elevated privileges.

Generated by OpenCVE AI on June 10, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Roxy‑WI to a version where the path‑traversal issue is fixed, once such a release is available.
  • Configure the web interface to reject any configuration file names containing '..' or any relative paths, effectively restoring the intended validation logic.
  • Run Roxy‑WI with the least privilege necessary, ensuring it cannot read sensitive files from the host system, and monitor access logs for unexpected file read attempts.

Generated by OpenCVE AI on June 10, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment — '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.
Title Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)
Weaknesses CWE-22
CWE-697
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T15:38:17.385Z

Reserved: 2026-05-12T19:00:14.600Z

Link: CVE-2026-45569

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-06-10T16:17:08.433

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-45569

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T18:00:15Z

Weaknesses