Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-45558

CVE-2026-45558: Roxy-WI HAProxy RCE Vulnerability

CVE-2026-45558 is a remote code execution vulnerability in Roxy-WI's HAProxy management interface. Attackers can inject malicious directives to execute commands on load balancers. This article covers technical details, affected versions, impact, and mitigation strategies.

Published:

CVE-2026-45558 Overview

CVE-2026-45558 is a configuration injection vulnerability in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. Versions 8.2.6.4 and prior fail to validate or escape the JSON option field in HAProxy section-save endpoints. The unsanitized input renders verbatim into HAProxy configuration files through Ansible templates. Roxy-WI then deploys the configuration and reloads HAProxy, executing attacker-controlled directives on managed load balancers. An authenticated low-privileged user can achieve remote code execution as the haproxy user on every load balancer their group manages.

Critical Impact

Authenticated users with role ≤ 3 can inject arbitrary HAProxy directives to gain remote code execution on all managed load balancers. No patch is available at publication.

Affected Products

  • Roxy-WI versions 8.2.6.4 and prior
  • HAProxy load balancers managed by vulnerable Roxy-WI instances
  • Server groups deploying configurations through affected endpoints

Discovery Timeline

  • 2026-06-10 - CVE-2026-45558 published to NVD
  • 2026-06-10 - Last updated in NVD database

Technical Details for CVE-2026-45558

Vulnerability Analysis

The vulnerability resides in the HAProxy section-save endpoints exposed by Roxy-WI. The POST /api/service/haproxy/<server_id>/section/<section_type> endpoint and the corresponding PUT variants for global and defaults sections accept a JSON option field. This field receives no validation or escaping before being passed to Ansible templates.

The section.j2, global.j2, and defaults.j2 templates render the option value verbatim into the generated HAProxy configuration. Roxy-WI then pushes the rendered configuration to the target load balancer and issues systemctl reload haproxy, applying the injected directives immediately.

The weakness maps to [CWE-20] Improper Input Validation. Because the application trusts authenticated user input as configuration data, any HAProxy directive becomes attacker-controllable. The combination of unsafe template rendering and automated deployment turns a configuration form into a remote code execution primitive across the entire managed fleet.

Root Cause

The root cause is missing input validation on the option JSON field accepted by HAProxy section-save endpoints. Ansible Jinja2 templates emit the value into configuration files without sanitization, allowing newline-separated directives and arbitrary HAProxy options to enter production configs.

Attack Vector

An authenticated user with role ≤ 3 (user) submits a crafted JSON payload to an affected endpoint. The payload includes HAProxy directives such as option external-check combined with external-check command /bin/bash -c '…'. When HAProxy performs health checks on the configured backend, it executes the supplied shell command as the haproxy system user. Code execution occurs on every health-check interval across all load balancers in the user's group.

The vulnerability requires network access to the Roxy-WI API and valid user credentials, but no administrative privileges. See the GitHub Security Advisory for full technical context.

Detection Methods for CVE-2026-45558

Indicators of Compromise

  • Presence of option external-check or external-check command directives in HAProxy configurations not introduced through approved change management.
  • Unexpected child processes of the haproxy daemon, particularly /bin/bash, /bin/sh, or interpreter invocations.
  • Outbound network connections from load balancer hosts originating from the haproxy user context.
  • Audit log entries showing POST or PUT requests to /api/service/haproxy/<server_id>/section/* endpoints by low-privileged accounts.

Detection Strategies

  • Monitor HAProxy configuration files for unauthorized directives, especially those invoking external commands or shells.
  • Inspect Roxy-WI API access logs for section-save calls containing shell metacharacters or newline-encoded payloads in the option field.
  • Correlate systemctl reload haproxy events with the user identity that initiated the Roxy-WI configuration change.

Monitoring Recommendations

  • Enable process execution telemetry on all load balancer hosts and alert on processes spawned by haproxy.
  • Track filesystem changes to /etc/haproxy/haproxy.cfg and related includes with integrity monitoring.
  • Centralize Roxy-WI application logs and HAProxy reload events in a SIEM for cross-correlation.

How to Mitigate CVE-2026-45558

Immediate Actions Required

  • Restrict network access to the Roxy-WI management interface to trusted administrators until a patch is released.
  • Audit all Roxy-WI user accounts and downgrade or disable accounts that do not require HAProxy configuration privileges.
  • Review current HAProxy configurations across the managed fleet for unauthorized external-check or other unexpected directives.
  • Rotate credentials for any Roxy-WI account suspected of compromise and inspect load balancer hosts for backdoors.

Patch Information

No official patch is available at the time of publication. Monitor the Roxy-WI GitHub Security Advisory GHSA-w2x4-66jj-3597 for fix releases and update guidance.

Workarounds

  • Block or proxy-filter POST and PUT requests to /api/service/haproxy/<server_id>/section/* endpoints at an upstream gateway for non-administrative users.
  • Apply a web application firewall rule that rejects section-save payloads containing external-check, backticks, or shell metacharacters in the option field.
  • Run HAProxy under a strict systemd sandbox using NoNewPrivileges=yes, ProtectSystem=strict, and a restricted SystemCallFilter to limit the impact of injected commands.
  • Remove external-check capability from the HAProxy binary or compile without external-check support in environments where the feature is not required.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.