CVE-2026-45569: Path-Traversal Vulnerability in Roxy-WI 8.2.6.4 – Logic Error Bypasses Validation
Roxy-WI, a web-based control panel for managing HAProxy, Nginx, Apache, and Keepalived servers, contains a path-traversal vulnerability in versions 8.2.6.4 and earlier. A security patch was attempted but contained a critical logic error: it checks whether the string '..' appears as an exact match in a list of values, rather than checking whether '..' appears anywhere within a file path. This means attackers can still bypass the check using common path-traversal payloads like '../../etc/passwd' or '..\..\/etc/passwd'. An authenticated user can exploit this to read, modify, or delete arbitrary configuration files on the server.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-22, CWE-697
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment — '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from a flawed input-validation patch in app/modules/config/config.py at line 462. The vulnerable code uses tuple-membership testing ('..' in (a, b, c)) instead of substring containment checking. Tuple membership only returns True if one of the operands equals the literal string '..', not if '..' appears within a larger string. Consequently, payloads such as '../../etc/passwd', '..\\..\\windows\\win.ini', or any path-traversal string containing '..' as a substring will pass the check and reach the file-handling logic. This bypasses the intended CWE-22 (Path Traversal) mitigation entirely. The vulnerability is rooted in improper input validation (CWE-697) and allows an authenticated user to access arbitrary files on the underlying system.
Business impact
An authenticated attacker can read sensitive configuration files, system files, and potentially credentials stored on the Roxy-WI server or the systems it manages. They could also modify or delete critical configuration for HAProxy, Nginx, Apache, or Keepalived, disrupting load-balancing, web serving, or failover operations. For organizations relying on Roxy-WI to manage production infrastructure, exploitation could lead to service downtime, data exposure, or lateral movement to managed servers. The impact is elevated because Roxy-WI typically has privileged access to backend systems.
Affected systems
Roxy-WI versions 8.2.6.4 and prior are affected. The vulnerability requires authentication, so it poses risk to organizations running these versions with user accounts that have access to Roxy-WI. Because Roxy-WI is a management tool for infrastructure components (HAProxy, Nginx, Apache, Keepalived), affected systems include any environment where Roxy-WI is deployed as a centralized control point.
Exploitability
Exploitation requires valid authentication credentials to Roxy-WI; there is no evidence of public exploits or automated attack tooling at the time of publication. However, the vulnerability is trivial to exploit once authenticated: an attacker need only submit a path-traversal payload (e.g., in the config_file_name or configver parameter) and the flawed validation will permit it through. The actual attack surface depends on how Roxy-WI exposes file-handling endpoints, but the logic error makes the check ineffective against any real-world path-traversal syntax. The lack of KEV designation and public patches suggests this vulnerability is not yet widely exploited in the wild, but should be treated as high-priority given the ease of exploitation for those with access.
Remediation
At publication, no vendor patches are available. Organizations should immediately review access controls to Roxy-WI and restrict authentication to trusted administrators only. Implement network segmentation to limit access to the Roxy-WI management interface. Monitor for suspicious file-access attempts or unusual configuration changes. Until an official patch is released, consider disabling or isolating Roxy-WI if feasible. Maintain frequent backups of configuration files for all managed servers (HAProxy, Nginx, Apache, Keepalived) so that tampered configurations can be restored quickly.
Patch guidance
No patches are currently available from the vendor. Monitor the official Roxy-WI project repository and security advisories for an updated release that correctly implements substring or path-traversal validation. When a patch is released, verify that it uses proper substring checking (e.g., '..' in file_path) or a dedicated path-normalization library to prevent bypasses. Test patches in a non-production environment before deploying to live infrastructure. Be aware that future patches should also validate against null bytes, encoded traversal sequences, and symlink attacks to prevent similar issues.
Detection guidance
Monitor Roxy-WI access logs for requests containing path-traversal patterns in parameters such as config_file_name or configver (e.g., '../../', '..\\..\\', or encoded variants like '%2e%2e'). Check for unexpected file access attempts from the Roxy-WI process user, particularly reads from outside the intended configuration directories. Review audit logs of configuration file modifications, especially changes made through Roxy-WI. Set up alerts for authentication attempts to Roxy-WI, particularly from unexpected IP addresses or during unusual hours. File-integrity monitoring on critical configuration files (HAProxy configs, system files) can detect unauthorized changes resulting from exploitation.
Why prioritize this
This vulnerability scores 8.1 (HIGH) due to high confidentiality and integrity impact, low attack complexity, and requirement for low-privilege authentication. Prioritize it because: (1) the validation bypass is trivial and requires no special payload obfuscation, (2) Roxy-WI manages critical infrastructure (load balancers, web servers), so compromise can cascade to production systems, (3) no patches are yet available, leaving organizations in a reactive posture, and (4) while exploitation requires authentication, many organizations do not restrict Roxy-WI access tightly. Treat this as urgent for any team running affected versions in production.
Risk score, explained
CVSS 3.1 score of 8.1 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), authentication required (PR:L) but only low privilege, user interaction not required (UI:N), confidentiality impact (C:H) from unauthorized file reading, integrity impact (I:H) from file modification, and no availability impact (A:N). The score is high rather than critical because authentication is required and availability is not directly affected. However, the ease of bypassing the validation and the criticality of files that can be accessed make the real-world risk substantial.
Frequently asked questions
Does the patch attempt in version 8.2.6.4 actually fix the vulnerability?
No. The patch attempted to add validation using tuple-membership testing ('..' in (a, b, c)), which only succeeds if one of the operands equals exactly '..' as a standalone string. Realistic payloads like '../../etc/passwd' or '..\\..\\/config' contain '..' within a larger string and will not match, so the validation silently fails and the payload reaches the vulnerable code.
What files can an attacker access or modify?
An attacker can potentially access any file that the Roxy-WI process has permission to read or write, including: configuration files for HAProxy, Nginx, Apache, and Keepalived; system files and credentials; and any other file within the application or system directory structure. The exact scope depends on the user privileges and file-system permissions granted to the Roxy-WI process.
Do I need valid Roxy-WI credentials to exploit this?
Yes, this vulnerability requires authentication (PR:L in the CVSS vector). However, if your organization has not restricted Roxy-WI access to a narrow group of trusted administrators, any user with a valid account can potentially exploit it. Review and tighten authentication policies immediately.
When will a fix be available?
As of the publication date (2026-06-10), no official patches have been released. Monitor the Roxy-WI project repository and vendor security advisories for updates. When patches become available, ensure they implement correct substring containment checks or use a proper path-normalization library to prevent similar bypasses.
This analysis is based on the CVE record and vendor advisory as of 2026-06-17. No patches are available at publication. Users should verify all remediation and detection recommendations against their specific configuration and with the vendor's official guidance. This document does not constitute legal or compliance advice. Organizations should consult with their security team and legal counsel regarding notification and disclosure obligations. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2017-20248HIGHApptha Slider Gallery Path Traversal Vulnerability
- CVE-2017-20250HIGHMac Photo Gallery 3.0 Path Traversal File Download Vulnerability
- CVE-2018-25408HIGHOpen ISES Project Path Traversal Vulnerability (High Severity)
- CVE-2024-40646HIGHVertex Path Traversal Vulnerability – Remote File Access Risk
- CVE-2026-0270HIGHCortex XSOAR Path Traversal on Linux — Exploit Requirements & Patching Guide
- CVE-2026-10108HIGHUnauthenticated Path Traversal in xiaomusic v0.5.7 – File Read Vulnerability
- CVE-2026-11416HIGHMoviePilot Path Traversal in Cloud Storage Download Handlers
- CVE-2026-11419HIGHAltium Enterprise Server Path Traversal – Arbitrary File Write