CVE-2026-45565: Roxy-WI Path Traversal & Shell Injection in Input Validation
Roxy-WI, a web management interface for popular open-source load balancers and reverse proxes, contains a flaw in how it validates user input across dozens of fields—including SSH credentials and server descriptions. An attacker with login credentials can bypass security checks by appending certain shell metacharacters to a path traversal payload, allowing them to read or modify files outside the intended scope. The vulnerability affects versions 8.2.6.4 and earlier, with no public patches available at publication.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-117, CWE-20, CWE-22
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its if/elif/elif/else flow returns the metacharacter-stripped value without also enforcing the .. block. An attacker who appends a single ;, &, |, $, or backtick to a .. payload routes the value through the strip arm, where .. survives unblocked and the result is not shlex.quote()'d either. At time of publication, there are no publicly available patches.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the EscapedString Pydantic validator (app/modules/roxywi/class_models.py:16-30), which is responsible for sanitizing input across multiple configuration fields. The validator's if/elif/elif/else control flow strips certain metacharacters (;, &, |, $, backtick) but does not properly block path traversal sequences (..). When an attacker appends a metacharacter to a .. payload, the input routes through the strip arm where .. persists unfiltered. The unsanitized value is then passed to backend operations without shlex.quote() escaping, enabling shell injection or path traversal attacks. This affects CWE-22 (Path Traversal), CWE-20 (Improper Input Validation), and CWE-117 (Improper Output Neutralization for Logs).
Business impact
Authenticated users can access or modify files on servers managed by Roxy-WI, potentially compromising HAProxy, Nginx, Apache, or Keepalived configurations. An attacker could exfiltrate sensitive data (private keys, credentials), alter load-balancer rules to redirect traffic, or disable services. For organizations relying on Roxy-WI for infrastructure automation, this increases the blast radius of credential compromise and reduces the trustworthiness of centralized configuration management.
Affected systems
Roxy-WI versions 8.2.6.4 and prior are vulnerable. The tool is used to manage HAProxy, Nginx, Apache, and Keepalived instances. Any organization deploying Roxy-WI in these versions, particularly those with untrusted or broadly-scoped user accounts, should be considered at risk.
Exploitability
Exploitation requires valid login credentials (PR:L in CVSS), so external unauthenticated attack is not possible. However, the attack is deterministic and does not require user interaction once an attacker is authenticated. The barrier to weaponization is low: appending a single character to a path traversal string is trivial. Given the centrality of the EscapedString validator across dozens of fields, multiple attack vectors likely exist.
Remediation
Await and apply a patched version from the Roxy-WI project as soon as it becomes available. In the interim, restrict Roxy-WI access to highly trusted administrators, implement network segmentation to limit authenticated user reach, and monitor file access on managed servers for suspicious ..-based paths. Consider disabling Roxy-WI if it is not critical to operations.
Patch guidance
No patches have been released as of the publication date (2026-06-10). Monitor the Roxy-WI GitHub repository and official announcements for patch availability. When a patch is released, verify its version number against the advisory and test in a non-production environment before deployment. Prioritize patching if Roxy-WI is exposed to untrusted networks or manages critical infrastructure.
Detection guidance
Hunt for authentication logs from Roxy-WI that precede file-access anomalies on managed servers (HAProxy, Nginx, Apache, Keepalived hosts). Look for repeated failed input validation warnings or exceptions in Roxy-WI logs containing .. or shell metacharacters. Monitor access to sensitive configuration files (e.g., /etc/nginx/nginx.conf, /etc/haproxy/haproxy.cfg) for unexpected read or write operations, particularly if correlated with Roxy-WI API calls. Endpoint detection and response (EDR) tools should flag unusual process spawning from Roxy-WI's process tree.
Why prioritize this
With a CVSS score of 8.1 (HIGH) and confirmed exploitability barriers only at the authentication gate, this vulnerability warrants immediate attention if Roxy-WI is deployed in your environment. The validator flaw is structural, affecting multiple fields, and the lack of a public patch compounds urgency. Organizations using Roxy-WI for production infrastructure should treat this as a critical access-control risk and escalate patch tracking.
Risk score, explained
The CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N score reflects: network-accessible attack surface (AV:N), low complexity requiring only credential possession and a simple payload mutation (AC:L), confidentiality and integrity impact at the scope of the managed servers (C:H, I:H), and no direct availability impact (A:N). The score is elevated because an authenticated user can deterministically extract or alter sensitive data without user interaction.
Frequently asked questions
Do I need to take action if I don't use Roxy-WI?
No. This vulnerability is specific to Roxy-WI deployments. If your organization does not use Roxy-WI for HAProxy, Nginx, Apache, or Keepalived management, no action is required.
Can an unauthenticated attacker exploit this?
No. The vulnerability requires valid login credentials. However, if those credentials are compromised—through phishing, weak passwords, or lateral movement—the attack becomes immediately viable. Credential security and access controls are critical mitigations.
What should I do until a patch is available?
Restrict Roxy-WI access to a small set of highly trusted administrators, enforce strong authentication (MFA if possible), isolate Roxy-WI and managed servers on a trusted network segment, and monitor for suspicious path-traversal attempts in logs. Document the vulnerability in your risk register and establish a process to apply patches immediately upon release.
Are there workarounds to avoid the vulnerability?
No reliable workaround eliminates the risk. The flaw is in the core validator logic. Access restrictions and monitoring are the only interim mitigations available.
This analysis is based on publicly available vulnerability data as of 2026-06-17. No patches are confirmed available at publication. Verify all patch versions and advisory details against official Roxy-WI sources before deployment. This explainer does not constitute legal or compliance advice. Organizations should conduct their own risk assessments and consult with security teams before implementing mitigations. References to CVSS scoring reflect version 3.1; organizational risk may differ from CVSS ratings. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2025-22424HIGHAndroid Local Privilege Escalation via Image Disclosure
- CVE-2026-0078HIGHAndroid Privilege Escalation via DevicePolicyManagerService Desync
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide
- CVE-2026-0419HIGHNETGEAR JR6150 Command Injection via Insufficient Input Validation