CVE-2026-33431 Overview
CVE-2026-33431 is a path traversal vulnerability in Roxy-WI, a popular web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability exists in the POST /config/<service>/show API endpoint, where the configver parameter is directly appended to a base directory path without proper validation, allowing authenticated attackers to read arbitrary files from the system.
Critical Impact
Authenticated attackers can exploit this vulnerability to read sensitive configuration files, credentials, and other system files accessible to the web application process, potentially leading to further system compromise.
Affected Products
- Roxy-WI versions prior to 8.2.6.4
Discovery Timeline
- 2026-04-20 - CVE CVE-2026-33431 published to NVD
- 2026-04-21 - Last updated in NVD database
Technical Details for CVE-2026-33431
Vulnerability Analysis
This path traversal vulnerability (CWE-24: Path Traversal: '../filedir') stems from inadequate input validation in the configuration file viewing functionality of Roxy-WI. The vulnerable endpoint at /config/<service>/show accepts a configver parameter that specifies which version of a configuration file to display. This parameter value is concatenated directly with a base directory path to construct the full file path for reading operations.
The fundamental security flaw lies in the incomplete path traversal protection mechanism. While the application implements a guard that checks for directory traversal sequences (..), this validation is applied exclusively to the configs_dir variable, which represents the base directory and is never user-controlled. The critical oversight is that the user-supplied configver parameter completely bypasses this security check, allowing malicious input to pass through unvalidated.
Root Cause
The root cause is an incomplete implementation of path traversal defenses in app/modules/config/config.py. The validation logic only inspected the configs_dir variable for path traversal sequences while ignoring the user-controllable configver parameter. This allowed authenticated users to inject ../ sequences in the configver value to traverse outside the intended directory structure and access arbitrary files readable by the web application process.
Attack Vector
An authenticated attacker can exploit this vulnerability by sending a crafted POST request to the /config/<service>/show endpoint with a malicious configver parameter containing directory traversal sequences. By including multiple ../ patterns, the attacker can escape the intended configuration directory and read sensitive files such as /etc/passwd, /etc/shadow (if accessible), application configuration files, database credentials, or private keys stored on the system.
# Patch from app/modules/config/config.py showing the security fix
else:
config_file_name = ''
- if '..' in configs_dir:
+ if '..' in (configs_dir, config_file_name, configver):
raise Exception('error: nice try')
if configver is None:
Source: GitHub Commit Details
Detection Methods for CVE-2026-33431
Indicators of Compromise
- HTTP POST requests to /config/<service>/show endpoints containing ../ sequences in parameters
- Unusual file access patterns from the Roxy-WI web application process
- Access attempts to sensitive system files such as /etc/passwd, /etc/shadow, or configuration files outside the normal config directory
- Log entries showing requests with encoded traversal sequences like %2e%2e%2f or ..%2f
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing path traversal patterns in POST parameters
- Monitor application logs for requests to the /config/*/show endpoint with suspicious configver values
- Deploy file integrity monitoring on sensitive system files to detect unauthorized access
- Review Roxy-WI access logs for patterns indicating systematic file enumeration attempts
Monitoring Recommendations
- Enable detailed request logging for all API endpoints handling file operations
- Configure alerts for any access attempts to files outside the expected configuration directories
- Monitor for authentication events followed by suspicious API activity patterns
- Implement rate limiting on configuration viewing endpoints to slow potential exploitation attempts
How to Mitigate CVE-2026-33431
Immediate Actions Required
- Upgrade Roxy-WI to version 8.2.6.4 or later immediately
- Review access logs for any evidence of exploitation attempts targeting the /config/<service>/show endpoint
- Audit user accounts with access to Roxy-WI and remove any unnecessary privileges
- If upgrade is not immediately possible, implement network-level access controls to restrict access to the Roxy-WI interface
Patch Information
The vulnerability has been patched in Roxy-WI version 8.2.6.4. The fix expands the path traversal validation to include both config_file_name and configver parameters in addition to the configs_dir variable. The patched code now checks all three values for directory traversal sequences before processing file read operations. The security patch is available in commit d4d100067dd0ee04317f05d3b51be8fcfdc3f802. For detailed patch information, see the GitHub Security Advisory.
Workarounds
- Restrict network access to the Roxy-WI interface to trusted IP addresses only
- Implement a reverse proxy with WAF capabilities that filters requests containing path traversal patterns
- Audit and restrict file system permissions for the Roxy-WI process to minimize the impact of potential exploitation
- Enable additional authentication mechanisms such as multi-factor authentication for Roxy-WI access
# Example: Restrict access to Roxy-WI using iptables
# Allow only trusted management subnet
iptables -A INPUT -p tcp --dport 8080 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 8080 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
