Skip to main content

Apache CVE-2026-33431

| EUVDEUVD-2026-23966 MEDIUM
Path Traversal: '../filedir' (CWE-24)
2026-04-20 GitHub_M
5.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.7 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Patch released
Apr 24, 2026 - 19:19 nvd
Patch available
Patch available
Apr 20, 2026 - 22:31 EUVD
Analysis Generated
Apr 20, 2026 - 21:44 vuln.today
CVSS changed
Apr 20, 2026 - 21:22 NVD
5.7 (MEDIUM)
EUVD ID Assigned
Apr 20, 2026 - 21:15 euvd
EUVD-2026-23966
Analysis Generated
Apr 20, 2026 - 21:15 vuln.today
CVE Published
Apr 20, 2026 - 20:24 nvd
MEDIUM 5.7

DescriptionGitHub Advisory

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing ../ sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.

AnalysisAI

Roxy-WI versions prior to 8.2.6.4 allow authenticated attackers to read arbitrary files via path traversal in the POST /config/<service>/show API endpoint. The configver parameter is directly concatenated into a file path without proper validation, permitting directory escape sequences (../) to bypass the existing path guard. An authenticated user can exploit this to access sensitive configuration files and other data readable by the web application process.

Technical ContextAI

Roxy-WI is a web interface for managing multiple load-balancing and service platforms (HAProxy, Nginx, Apache, Keepalived). The vulnerable endpoint constructs a local file path by appending user-supplied input (configver) to a base directory path and then opens and returns the file contents. The root cause (CWE-24: Path Traversal) stems from incomplete input validation-the application checks the base directory variable for traversal sequences but fails to sanitize the user-controlled configver parameter before path construction. This is a classic concatenation-then-validate logic flaw where the attacker can inject ../ sequences into configver to escape the intended directory scope.

RemediationAI

Vendor-released patch: upgrade Roxy-WI to version 8.2.6.4 or later. The fix is confirmed in the upstream repository commit d4d100067dd0ee04317f05d3b51be8fcfdc3f802 (https://github.com/roxy-wi/roxy-wi/commit/d4d100067dd0ee04317f05d3b51be8fcfdc3f802), which implements proper input validation on the configver parameter to reject or neutralize path traversal sequences. If immediate patching is not feasible, implement a network-level compensating control: restrict POST requests to /config/*/show to a whitelist of trusted internal IP addresses or require an additional authentication layer (e.g., IP-based ACL via reverse proxy). This mitigates the risk by limiting exposure to authenticated users within a controlled network perimeter. Note that this workaround does not eliminate the vulnerability for legitimate internal users and should be treated as temporary.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-33431 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy