CVE Catalog

CVE-2026-45558

CriticalCVSS 9.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

42th percentile — higher than 42% of all known CVEs

Summary

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints accept an unvalidated JSON option field, allowing arbitrary HAProxy directives to be injected into the configuration.

Risk Assessment

The risk involves the potential for remote code execution on the load balancer by an authenticated user, which could lead to serious security breaches within the organization's infrastructure.

Recommendation

It is recommended to upgrade to the latest version of Roxy-WI and implement additional input validation and verification mechanisms in the HAProxy configuration.

Original NVD description (English source)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages — including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS