CVE-2026-33208 Overview
CVE-2026-33208 is a critical Command Injection vulnerability affecting Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability exists in the /config/<service>/find-in-config endpoint, which fails to properly sanitize the user-supplied words parameter before embedding it into a shell command that is executed on remote managed servers via SSH. An authenticated attacker can exploit this flaw by injecting arbitrary shell metacharacters to break out of the intended grep command context, achieving full Remote Code Execution (RCE) with sudo privileges on target servers.
Critical Impact
Authenticated attackers can achieve full Remote Code Execution with sudo privileges on managed servers, potentially compromising entire infrastructure managed through Roxy-WI.
Affected Products
- Roxy-WI versions prior to 8.2.6.4
- All Roxy-WI installations managing Haproxy, Nginx, Apache, or Keepalived servers
- Systems accessible via the vulnerable /config/<service>/find-in-config endpoint
Discovery Timeline
- 2026-04-24 - CVE-2026-33208 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-33208
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The vulnerable endpoint accepts user input through the words parameter and directly incorporates this input into a shell command string without proper sanitization. The command is then executed remotely on managed servers via SSH with elevated (sudo) privileges.
The attack requires authentication to the Roxy-WI interface, meaning an attacker would need valid credentials. However, once authenticated, exploitation is straightforward and requires no user interaction. The network-based attack vector allows exploitation from anywhere the Roxy-WI interface is accessible.
The impact is severe: successful exploitation grants attackers the ability to execute arbitrary commands with sudo privileges on any server managed through the Roxy-WI instance. This could lead to complete compromise of the managed infrastructure, data exfiltration, lateral movement, or deployment of persistent backdoors.
Root Cause
The root cause of this vulnerability is insufficient input validation in the find-in-config endpoint. The application directly passes user-controlled input to shell command construction without sanitizing or escaping shell metacharacters. When the words parameter is received, it is embedded into a grep command string that gets executed remotely. By injecting shell metacharacters such as backticks, semicolons, or command substitution sequences, an attacker can break out of the intended command context.
Attack Vector
The attack vector is network-based and targets the /config/<service>/find-in-config endpoint. An authenticated user sends a crafted HTTP request with malicious shell metacharacters in the words parameter. The application constructs a shell command incorporating this unsanitized input and executes it via SSH on the remote managed server with sudo privileges.
An attacker could inject payloads such as ; whoami # or $(malicious_command) to escape the grep context and execute arbitrary commands. The execution occurs with elevated privileges, providing full control over the target server.
# Security patch adding input validation
# Source: https://github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544de
import app.modules.roxywi.roxy as roxy
import app.modules.roxywi.auth as roxywi_auth
import app.modules.roxywi.common as roxywi_common
+from app.modules.common.common import checkAjaxInput
from app.modules.roxywi import logger
The patch introduces the checkAjaxInput function to validate and sanitize user input before processing. Additionally, path traversal protection was added:
# Path traversal protection added in routes/config/routes.py
# Source: https://github.com/roxy-wi/roxy-wi/commit/02f147d567a3cc8cf61a4b58ea4c2b7866a544de
server_ip = common.is_ip_or_dns(server_ip)
config_file_name = request.form.get('config_file_name')
+ if '..' in config_file_name:
+ return jsonify({'error': 'error: .. is not allowed'})
+
try:
return config_mod.show_config_files(server_ip, service, config_file_name)
except Exception as e:
Detection Methods for CVE-2026-33208
Indicators of Compromise
- Unusual HTTP requests to /config/<service>/find-in-config endpoints containing shell metacharacters (;, |, $(), backticks)
- Unexpected command execution on managed servers originating from the Roxy-WI host
- SSH sessions from Roxy-WI server executing commands outside normal grep operations
- Authentication logs showing suspicious activity followed by configuration endpoint access
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block requests containing shell metacharacters in the words parameter
- Monitor Roxy-WI application logs for requests to vulnerable endpoints with unusual parameter values
- Deploy endpoint detection on managed servers to identify unexpected command execution via SSH
- Review audit logs for sudo command execution that deviates from expected Roxy-WI operations
Monitoring Recommendations
- Enable detailed logging for all requests to /config/*/find-in-config endpoints
- Configure alerting for shell metacharacter patterns in HTTP request parameters
- Monitor SSH connection logs from Roxy-WI servers to managed hosts for anomalous command patterns
- Implement network segmentation monitoring between Roxy-WI and managed infrastructure
How to Mitigate CVE-2026-33208
Immediate Actions Required
- Upgrade Roxy-WI to version 8.2.6.4 or later immediately
- Review access controls and ensure only trusted users have authenticated access to Roxy-WI
- Audit logs for any suspicious activity on the vulnerable endpoint prior to patching
- Consider temporarily restricting network access to Roxy-WI interface until patching is complete
Patch Information
The vulnerability has been addressed in Roxy-WI version 8.2.6.4. The fix introduces proper input validation through the checkAjaxInput function and adds path traversal protection. The security patch is available through the GitHub commit. For detailed vulnerability information, refer to the GitHub Security Advisory GHSA-7m2h-gmvj-cjx2.
Workarounds
- Implement WAF rules to filter requests containing shell metacharacters to vulnerable endpoints
- Restrict network access to Roxy-WI to trusted IP ranges only
- Enable multi-factor authentication for Roxy-WI access to reduce credential compromise risk
- Deploy network segmentation between Roxy-WI and managed servers with strict firewall rules
# Example WAF rule to block shell metacharacters (ModSecurity format)
SecRule ARGS:words "@rx [;|`$()]" "id:100001,phase:2,deny,status:403,msg:'Potential command injection in Roxy-WI words parameter'"
# Restrict access to Roxy-WI via iptables
iptables -A INPUT -p tcp --dport 443 -s TRUSTED_IP_RANGE -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
