CVE-2026-45556 Overview
Roxy-WI is a web interface for managing HAProxy, Nginx, Apache, and Keepalived load balancers. A path traversal flaw in versions 8.2.6.4 and prior allows an authenticated low-privilege user to write attacker-controlled content to arbitrary filesystem locations. The vulnerable endpoint POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that flows unchecked into config_mod.master_slave_upload_and_restart(...). By crafting a filename that resolves to /etc/cron.d/, an attacker drops a cron entry executed as root on every managed load balancer.
Critical Impact
Authenticated attackers achieve full root remote code execution on every load balancer managed by their group. No vendor patch is available at publication time.
Affected Products
- Roxy-WI versions 8.2.6.4 and prior
- Deployments managing HAProxy, Nginx, Apache, or Keepalived backends
- Any load balancer reachable from the Roxy-WI master/slave upload pipeline
Discovery Timeline
- 2026-06-10 - CVE-2026-45556 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-45556
Vulnerability Analysis
The flaw is an improper input validation issue [CWE-20] in the WAF rule save handler. The config_file_name field controls the destination path for the rule body sent in the config field. Roxy-WI relies on substring checks rather than canonical path validation. The validation chain _replace_config_path_to_correct followed by check_is_conf requires only two conditions: the path must contain a service substring (nginx, haproxy, apache2, httpd, or keepalived) and the substring conf or cfg. The chain rejects literal .. sequences but applies no canonicalization. Because master_slave_upload_and_restart writes the rule body verbatim to the resulting path, the attacker controls both destination and content.
Root Cause
The encoded-slash substitution that converts 92 into / runs before the substring inspection. An attacker bypasses the directory-traversal guard by encoding slashes numerically rather than using .. sequences. The substring checks accept any absolute path that happens to embed a service keyword and the token conf or cfg. There is no allow-list of writable directories and no comparison against a sanitized base path.
Attack Vector
An authenticated user with permission to manage WAF rules submits a crafted POST request. Setting config_file_name=92etc92cron.d92nginx_cfg_evil produces the resolved path /etc/cron.d/nginx_cfg_evil. The path contains both nginx and cfg, satisfying validation. The config field carries the cron job body, including the shell command to execute. The cron daemon parses /etc/cron.d/ on its next scan and runs the embedded command as root. Because Roxy-WI propagates configuration to every load balancer in the caller's group, a single request yields code execution across multiple hosts.
Detection Methods for CVE-2026-45556
Indicators of Compromise
- New or modified files under /etc/cron.d/ on managed load balancers, particularly with filenames embedding nginx, haproxy, apache2, httpd, or keepalived alongside conf or cfg.
- Roxy-WI access logs showing POST /waf/<service>/<server_ip>/rule/<rule_id>/save with a config_file_name value containing the encoded sequence 92.
- Cron-spawned root processes on load balancers without a corresponding administrative change request.
Detection Strategies
- Alert on writes to system directories (/etc/cron.d/, /etc/cron.hourly/, /etc/sudoers.d/, /root/.ssh/) by the Roxy-WI service account.
- Inspect HTTP request bodies sent to the WAF save endpoint for the literal substring 92 inside config_file_name.
- Correlate Roxy-WI API activity with subsequent cron execution events on the managed hosts.
Monitoring Recommendations
- Enable file integrity monitoring on /etc/cron.d/ and adjacent scheduled task directories on every load balancer.
- Forward Roxy-WI application logs and load balancer auth/cron logs to a central SIEM for correlation.
- Track outbound network connections initiated by cron-spawned processes to identify command-and-control activity.
How to Mitigate CVE-2026-45556
Immediate Actions Required
- Restrict network access to the Roxy-WI web interface to trusted administrative networks only.
- Disable or tightly scope user groups that hold WAF rule management privileges until a fix is available.
- Audit /etc/cron.d/ and other scheduled task directories on all managed load balancers for unauthorized entries.
- Rotate credentials and SSH keys on any load balancer suspected to have processed crafted WAF requests.
Patch Information
No vendor patch is available at the time of publication. Monitor the Roxy-WI GitHub Security Advisory GHSA-85gm-773v-x7m4 for fix release information.
Workarounds
- Place Roxy-WI behind a reverse proxy that blocks requests containing 92 inside the config_file_name parameter for the WAF save endpoint.
- Remove WAF rule management permissions from non-administrative Roxy-WI groups.
- Run the load balancer cron daemon with reduced privileges where supported, or disable /etc/cron.d/ scanning if the platform allows.
# Example reverse-proxy filter (nginx) to block the encoded-slash payload
location ~ ^/waf/[^/]+/[^/]+/rule/[^/]+/save$ {
if ($request_method = POST) {
if ($request_body ~* "config_file_name=[^&]*92") {
return 403;
}
}
proxy_pass http://roxywi_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
