Skip to main content

Roxy-WI CVE-2026-45569

| EUVD-2026-36065 HIGH
Path Traversal (CWE-22)
2026-06-10 GitHub_M
Path Traversal Nginx Apache
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 10, 2026 - 16:23 vuln.today
Analysis Generated
Jun 10, 2026 - 16:23 vuln.today
CVE Published
Jun 10, 2026 - 15:38 nvd
HIGH 8.1

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment - '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.

Articles & Coverage 1

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026

AnalysisAI

Path traversal in Roxy-WI versions 8.2.6.4 and prior allows authenticated remote attackers to read arbitrary configuration files via the config_file_name and configver parameters. The vendor's attempted fix in commit d4d10006 is ineffective due to a logic error - it uses Python tuple-membership instead of substring containment - leaving all realistic '../' payloads unblocked, with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege Roxy-WI credentials
Delivery
Send show_config request with '../' in config_file_name
Exploit
Bypass broken tuple-membership check
Execution
Server reads arbitrary file from disk
Persist
Exfiltrate /etc/passwd or backend service configs
Impact
Pivot using leaked secrets to HAProxy/Nginx backends
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session on Roxy-WI (CVSS PR:L) with permission to invoke the show_config handler, and network reachability to the management web interface. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N, score 8.1) indicates a network-reachable, low-complexity attack that requires only low privileges and no user interaction, yielding high confidentiality and integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with any valid low-privilege Roxy-WI account - for example a junior operator or a compromised CI user - sends a request to the show_config endpoint with config_file_name set to `../../../../etc/passwd` or `../../etc/haproxy/haproxy.cfg`. The broken tuple-membership check returns False, the path is concatenated and read from disk, and the file contents are returned in the response, leaking system credentials, backend secrets, or HAProxy/Nginx configurations containing TLS keys. …
Remediation No vendor-released patch identified at time of analysis - the published commit d4d10006 contains a logic bug and does not block traversal sequences. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all Roxy-WI deployments running version 8.2.6.4 or earlier and document their network exposure and user base. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL
9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i
CVE-2026-45556 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled cont
CVE-2026-45558 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to injec
CVE-2026-45550 CRITICAL
9.1 Jun 10

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HT
CVE-2026-45564 HIGH
8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to

Share

CVE-2026-45569 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy