CRITICAL🇵🇱 Wersja polska

CVE-2026-45556

CVSS 9.9v3.1pub. 2026-06-10

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root — full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.

🤖 AI Analysis
How it works

The POST endpoint /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field, which is passed directly as the target path to the config_mod.master_slave_upload_and_restart() function. The validation mechanism only checks whether the path contains a specified substring (e.g., nginx, haproxy, conf, cfg) and does not contain the .. sequence, but does not account for encoded slashes: the sequence 92 is converted to / before this verification is performed. This allows an attacker to construct a path such as 92etc92cron.d92nginx_cfg_evil, which after substitution resolves to /etc/cron.d/nginx_cfg_evil, meeting validation conditions. The content of the config field (WAF rule body) is written literally to the specified path — the attacker places their own cron entry there, which when subsequently read by the cron daemon is executed as root.

Impact

An authenticated attacker with access to a managed group can obtain full remote code execution (RCE) with root privileges on every load balancer server managed by that group, resulting in complete compromise of confidentiality, integrity, and availability of the systems.

Mitigation & patch

At the time of publication, no publicly available patches exist. Monitor the vendor's repository (https://github.com/roxy-wi/roxy-wi) and apply the patch immediately upon release. Until a patch is issued, it is recommended to restrict access to the Roxy-WI interface only to trusted networks/hosts (e.g., via firewall or VPN), and monitor changes in /etc/cron.d/ directories and other critical filesystem locations.

Who is affected

Roxy-WI in versions 8.2.6.4 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Path TraversalCommand Injection
CWE
References