CVE-2026-27811 Overview
CVE-2026-27811 is a command injection vulnerability affecting Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the /config/compare/<service>/<server_ip>/show endpoint that allows authenticated users to execute arbitrary system commands on the application host. The vulnerability originates in app/modules/config/config.py on line 362, where user input is directly formatted in a template string that is eventually executed.
Critical Impact
Authenticated attackers can achieve full system command execution on the Roxy-WI host server, potentially leading to complete infrastructure compromise given the application's role in managing critical load balancers and web servers.
Affected Products
- Roxy-WI versions prior to 8.2.6.3
- All Roxy-WI installations with the vulnerable /config/compare/<service>/<server_ip>/show endpoint exposed
Discovery Timeline
- 2026-03-18 - CVE CVE-2026-27811 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-27811
Vulnerability Analysis
This command injection vulnerability (CWE-77) affects the configuration comparison functionality in Roxy-WI. The vulnerable code path accepts user-controlled input parameters (left and right) via JSON data in the compare route and passes them to a diff command without adequate sanitization. While the application uses checkAjaxInput() for basic input validation, this was insufficient to prevent path traversal or command injection attacks through specially crafted input values.
The vulnerability is particularly concerning because Roxy-WI manages critical infrastructure components including Haproxy, Nginx, Apache, and Keepalived servers. An attacker who gains command execution on the Roxy-WI host could potentially pivot to compromise the managed servers or disrupt load balancing and high-availability configurations.
Root Cause
The root cause is improper input validation in the configuration comparison endpoint. User-supplied input is incorporated into file paths that are passed to shell commands via subprocess_execute(). The left and right parameters from JSON input are directly used in constructing file paths without sufficient validation against directory traversal sequences or command injection payloads.
Attack Vector
The attack is network-based and requires low-privileged authenticated access to the Roxy-WI interface. An attacker with valid credentials can send a malicious POST request to the /config/compare/<service>/<server_ip>/show endpoint with crafted left or right JSON parameters containing path traversal sequences or command injection payloads. These malicious inputs are then processed by the backend and executed as part of shell commands.
# Patched code in app/routes/config/routes.py
# Source: https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064
def show_compare(service, server_ip):
left = common.checkAjaxInput(request.json.get('left'))
right = common.checkAjaxInput(request.json.get('right'))
if '..' in left or '..' in right:
return jsonify({'error': 'error: .. is not allowed'})
try:
compare = config_mod.compare_config(service, left, right)
except Exception as e:
return roxywi_common.handler_exceptions_for_json_data(e, '')
return jsonify({'compare': compare})
# Patched code in app/modules/config/config.py
# Source: https://github.com/roxy-wi/roxy-wi/commit/a10ac7306c252014f97a7213db4a9470300fa064
"""
cmd = f"/bin/diff -ub {old_cfg} {cfg}"
output, stderr = server_mod.subprocess_execute(cmd)
if stderr:
raise Exception(stderr)
output = '\n'.join(output)
return output
Detection Methods for CVE-2026-27811
Indicators of Compromise
- Unusual POST requests to /config/compare/<service>/<server_ip>/show endpoints containing path traversal sequences (..) or shell metacharacters
- Web application logs showing malformed configuration comparison requests with special characters in left or right parameters
- Unexpected child processes spawned by the Roxy-WI application process
- System command execution logs showing commands initiated from the web application context
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block requests containing path traversal patterns (..) or shell command injection characters in JSON payloads
- Monitor Roxy-WI application logs for failed input validation attempts or unusual error patterns in the configuration comparison functionality
- Implement network intrusion detection signatures for HTTP POST requests targeting the vulnerable endpoint with suspicious payloads
- Enable process monitoring on Roxy-WI servers to detect anomalous child process creation
Monitoring Recommendations
- Enable detailed access logging for all Roxy-WI configuration management endpoints
- Set up alerts for repeated authentication attempts followed by suspicious API activity
- Monitor system call activity for the Roxy-WI application process to detect command execution attempts
- Track file access patterns for configuration files outside expected directories
How to Mitigate CVE-2026-27811
Immediate Actions Required
- Upgrade Roxy-WI to version 8.2.6.3 or later immediately
- Review access logs for any evidence of exploitation attempts against the /config/compare/ endpoint
- Audit user accounts with access to Roxy-WI and revoke unnecessary privileges
- Consider temporarily restricting access to configuration comparison functionality until patching is complete
Patch Information
The vulnerability has been fixed in Roxy-WI version 8.2.6.3. The patch implements additional input validation by explicitly blocking path traversal sequences (..) in the left and right parameters, and adds proper error handling for the diff command execution. Users should update to this version by following the standard upgrade procedure.
For more information, see the GitHub Security Advisory GHSA-jvmv-cw47-jh77 and the security fix commit.
Workarounds
- Implement network-level access controls to restrict access to the Roxy-WI interface to trusted management networks only
- Deploy a web application firewall (WAF) with rules to block requests containing path traversal sequences or command injection patterns
- If upgrading is not immediately possible, consider temporarily disabling the configuration comparison feature by restricting access at the reverse proxy or firewall level
- Enable strict Content Security Policy headers and input validation at the network edge
# Example: Block access to vulnerable endpoint using nginx until patched
# Add to nginx configuration for Roxy-WI proxy
location ~ ^/config/compare/.*/show$ {
# Temporarily deny access to vulnerable endpoint
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
