CVE-2026-33076 Overview
CVE-2026-33076 is a critical path traversal vulnerability in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The vulnerability exists in the haproxy_section_save interface, where insufficient input validation allows attackers to exploit path traversal sequences to write malicious content into scheduled tasks, ultimately achieving remote code execution on vulnerable systems.
Prior to version 8.2.6.4, the application fails to properly sanitize user-supplied input in the configuration save functionality, enabling unauthenticated attackers to traverse directory paths and inject arbitrary code into system cron jobs or other scheduled task mechanisms.
Critical Impact
Unauthenticated remote attackers can achieve arbitrary code execution by exploiting path traversal to write malicious payloads into scheduled tasks, potentially leading to complete system compromise.
Affected Products
- Roxy-WI versions prior to 8.2.6.4
- All deployments using the haproxy_section_save interface
- Systems running Roxy-WI with HAProxy, Nginx, Apache, or Keepalived management enabled
Discovery Timeline
- 2026-04-24 - CVE-2026-33076 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-33076
Vulnerability Analysis
This vulnerability combines two dangerous attack primitives: path traversal (CWE-22) and arbitrary file write. The haproxy_section_save endpoint in Roxy-WI accepts user-controlled input that determines where configuration data is written on the filesystem. Due to inadequate path validation, an attacker can use directory traversal sequences (e.g., ../) to escape the intended configuration directory and write to arbitrary locations.
The most severe exploitation scenario involves writing malicious scripts to cron directories or other scheduled task locations. Once the scheduled task executes, the attacker's payload runs with the privileges of the task scheduler, typically root on Linux systems. This attack requires no authentication and can be performed remotely over the network.
Root Cause
The root cause is improper input validation in the path handling logic of the haproxy_section_save interface. The application fails to:
- Canonicalize file paths before use
- Validate that the resolved path remains within the intended configuration directory
- Sanitize path traversal sequences from user input
- Implement proper IP/DNS validation in route handling
The security patch introduced in version 8.2.6.4 adds the common module import to improve input validation:
import app.modules.db.sql as sql
+import app.modules.common.common as common
import app.modules.roxy_wi_tools as roxy_wi_tools
get_config_var = roxy_wi_tools.GetConfigVar()
Source: GitHub Commit
Attack Vector
The attack is network-based and requires no user interaction or prior authentication. An attacker can craft malicious HTTP requests to the haproxy_section_save endpoint with path traversal payloads in the filename or path parameters. The payload would include:
- Path traversal sequences to reach system directories
- Malicious script content designed for execution via cron or similar mechanisms
- Appropriate file extensions and permissions to enable execution
The version migration script demonstrates the patch application:
+from playhouse.migrate import *
+from app.modules.db.db_model import connect, Version
+
+migrator = connect(get_migrator=1)
+
+
+def up():
+ """Apply the migration."""
+ try:
+ Version.update(version='8.2.6.4').execute()
+ except Exception as e:
+ print(f"Error updating version: {str(e)}")
+ raise e
+
+
+def down():
+ """Roll back the migration."""
+ try:
+ Version.update(version='8.2.6.3').execute()
+ except Exception as e:
+ print(f"Error rolling back migration: {str(e)}")
+ raise e
Source: GitHub Commit
Detection Methods for CVE-2026-33076
Indicators of Compromise
- Unexpected files appearing in cron directories (/etc/cron.d/, /etc/cron.daily/, /var/spool/cron/)
- HTTP requests to haproxy_section_save endpoint containing path traversal sequences (../, ..%2f, ..%252f)
- New or modified scheduled tasks with unknown origins
- Suspicious process execution originating from cron or systemd timer services
Detection Strategies
- Monitor web server logs for requests to the haproxy_section_save endpoint containing encoded or plain path traversal patterns
- Implement file integrity monitoring (FIM) on cron directories and other scheduled task locations
- Deploy web application firewall (WAF) rules to detect and block path traversal attempts
- Review Roxy-WI application logs for anomalous configuration save operations
Monitoring Recommendations
- Enable verbose logging on the Roxy-WI application to capture all configuration save requests
- Configure alerts for any file modifications in system-critical directories from the Roxy-WI service account
- Implement network-level monitoring for unusual outbound connections from servers running Roxy-WI
- Regularly audit cron jobs and scheduled tasks for unauthorized entries
How to Mitigate CVE-2026-33076
Immediate Actions Required
- Upgrade Roxy-WI to version 8.2.6.4 or later immediately
- Audit existing cron jobs and scheduled tasks for any unauthorized entries
- Review system logs for evidence of exploitation attempts
- Restrict network access to the Roxy-WI interface using firewall rules or network segmentation
- Consider temporarily disabling the haproxy_section_save functionality if immediate patching is not possible
Patch Information
The vulnerability has been fixed in Roxy-WI version 8.2.6.4. The patch introduces improved IP/DNS validation in routes and adds proper input sanitization through the common module. Organizations should apply this update through their standard package management or by pulling the latest version from the official repository.
For detailed information about the fix, refer to the GitHub Security Advisory and the security patch commit.
Workarounds
- Place Roxy-WI behind a reverse proxy with path traversal filtering capabilities
- Implement network-level access controls to limit who can reach the Roxy-WI interface
- Use a web application firewall (WAF) to block requests containing path traversal patterns
- Run Roxy-WI in a containerized environment with restricted filesystem access to limit the impact of exploitation
# Example: Restrict Roxy-WI access via iptables
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
# Example: Nginx reverse proxy with path traversal blocking
location /app/ {
if ($request_uri ~* "\.\.") {
return 403;
}
proxy_pass http://roxy-wi-backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
