CVE-2026-45564: Roxy-WI Command Injection in Configuration Version Parameter (CVSS 8.8)
Roxy-WI, a web management interface for Haproxy, Nginx, Apache, and Keepalived servers, contains a command-injection vulnerability in versions 8.2.6.4 and earlier. An authenticated user with basic privileges can manipulate the configuration version parameter in a specific POST request to inject shell commands, which are then executed with the privileges of the Roxy-WI process. This is a post-authentication attack—the attacker must have valid credentials—but the low privilege requirement (role 3 or lower, typically standard 'user' accounts) and the complete impact on system confidentiality, integrity, and availability make this a significant risk for any organization running Roxy-WI in production.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the POST /config/versions/<service>/<server_ip>/<configver>/save endpoint. The 'configver' path parameter is concatenated directly into a shell command passed to os.system() without sanitization: dos2unix -q {cfg}. Roxy-WI uses Pydantic for validation but does not enforce escaped string constraints on path parameters declared as plain strings. The developers had previously attempted a patch using tuple-membership validation (GHSA-vapt-004), but this was ineffective. An authenticated attacker can include shell metacharacters (pipe, semicolon, backtick, etc.) in the configver parameter to break out of the intended command and execute arbitrary system commands. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command).
Business impact
Compromise of any Roxy-WI instance grants an attacker the ability to execute arbitrary commands on the underlying server with the same privileges as the web application process. This can lead to data exfiltration, installation of persistence mechanisms, lateral movement to managed Haproxy/Nginx/Apache/Keepalived nodes, and disruption of load-balancing and web infrastructure. For organizations relying on Roxy-WI to manage critical proxy and web services, this represents a path to infrastructure takeover. The requirement for authentication limits exposure to insider threats and compromised accounts, but does not eliminate risk—especially in environments where service accounts or shared credentials are common.
Affected systems
Roxy-WI versions 8.2.6.4 and prior are affected. No vendor product data was available at publication, but any deployment of Roxy-WI in this version range is at risk. Organizations should inventory all instances and verify the installed version. Check release notes and the vendor's official repository to determine if a patched version has been released since the initial publication date of June 10, 2026.
Exploitability
The attack requires valid authentication credentials and a role assignment of 3 or lower (standard user privileges), making it a post-authentication attack rather than unauthenticated. However, in many environments, user-level accounts are numerous and may be shared, delegated, or compromised via phishing or credential theft. Once authenticated, the attack is trivial to execute—no advanced exploitation techniques are required. The CVSS 3.1 score of 8.8 (HIGH) reflects the low attack complexity, low privilege requirements, and complete impact across all three security dimensions (confidentiality, integrity, availability). Active exploitation is plausible if Roxy-WI is exposed to untrusted networks or if internal user accounts are compromised.
Remediation
At the time of publication (June 10, 2026), no official patches were available. Organizations must take interim action: (1) Restrict access to Roxy-WI to trusted networks only, using firewall rules or VPN gateways. (2) Limit user account creation and enforce strong, unique passwords; audit active user accounts and role assignments. (3) Monitor authentication logs for suspicious login patterns. (4) Upgrade to a patched version as soon as the vendor releases one—verify against the official vendor advisory and release notes. (5) Consider air-gapping the Roxy-WI instance or running it in a restricted security zone until patched.
Patch guidance
Verify the vendor's official GitHub repository and release notes for a patched version greater than 8.2.6.4. Apply the patch to all Roxy-WI instances in your environment, testing in a non-production environment first to ensure compatibility with your Haproxy, Nginx, Apache, and Keepalived configurations. The patch must address input validation in the configver parameter, ensuring that all user-supplied path components are properly escaped before being passed to os.system() or, preferably, replaced with a safer subprocess method that avoids shell interpretation.
Detection guidance
Monitor web server and application logs for POST requests to /config/versions/*/*/*/save endpoints where the configver parameter contains shell metacharacters (semicolon, pipe, backtick, dollar-parenthesis, newline, etc.). Look for authentication logs showing user accounts with role 3 or lower accessing Roxy-WI, especially from unusual source IPs or at odd times. Check system logs on the Roxy-WI host for unexpected process execution, particularly dos2unix invocations with suspicious arguments. Use endpoint detection and response (EDR) tools to monitor for child processes spawned by the Roxy-WI application. Consider deploying a Web Application Firewall (WAF) rule to block requests with encoded or raw shell metacharacters in path parameters.
Why prioritize this
This vulnerability merits immediate attention because it combines post-authentication command injection with a low privilege threshold (standard users), high impact across all security dimensions, and the current absence of a public patch. Any Roxy-WI instance managing production load-balancers or critical web infrastructure is a high-value target. Organizations should prioritize patching as soon as a fix becomes available, and in the interim, implement strong access controls and network segmentation around Roxy-WI instances.
Risk score, explained
The CVSS 3.1 score of 8.8 (HIGH) reflects: Network-based attack vector (AV:N), low attack complexity (AC:L), low privilege requirements (PR:L), no user interaction needed (UI:N), and unchanged scope (S:U). The impact is complete across confidentiality, integrity, and availability (C:H, I:H, A:H), meaning an attacker can read, modify, or delete data, and disrupt services. Although authentication is required, the low privilege bar and ease of exploitation elevate the overall risk.
Frequently asked questions
Can this vulnerability be exploited without valid credentials?
No. The vulnerability requires an authenticated user account with role 3 or lower. However, user-level accounts are often numerous in organizations, and credentials can be obtained through phishing, password reuse, or insider access. Once authenticated, the attack is straightforward.
What versions of Roxy-WI are affected?
All versions 8.2.6.4 and prior are affected. Check your installed version with 'roxy-wi --version' or inspect the deployment directory. The vendor's official repository should indicate which version addresses this issue.
Is there a workaround if I cannot patch immediately?
Yes. Restrict network access to the Roxy-WI interface to trusted management networks only, using firewall rules or a bastion host. Audit and remove unnecessary user accounts, enforce strong passwords, and monitor authentication logs. Implement a WAF rule to block requests with shell metacharacters in the configver parameter. These measures reduce but do not eliminate risk; patching is essential.
How do I know if my Roxy-WI instance has been compromised?
Review web server access logs for POST requests to /config/versions/*/*/*/save with suspicious characters in the configver parameter. Check system logs for unexpected process spawning or dos2unix invocations with unusual arguments. Use file integrity monitoring to detect unauthorized changes to configuration files or system binaries. If you suspect compromise, isolate the instance, preserve logs for forensics, and consider a full security incident investigation.
This analysis is based on vulnerability data available as of the publication date and does not constitute legal, compliance, or professional security advice. Organizations must verify all patch versions, affected products, and remediation steps against official vendor advisories and their own environment. SEC.co provides no warranty regarding the completeness or accuracy of this information and recommends consulting with qualified security professionals before implementing remediation. Any exploit or proof-of-concept code is strictly prohibited and may violate applicable laws. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-66273HIGHQNAP Command Injection in QTS and QuTS hero
- CVE-2025-66279HIGHQNAP NAS Command Injection – Admin Authentication Required, HIGH Severity
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability