PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45556 roxy-wi CVE debrief

CVE-2026-45556 is a critical remote code execution (RCE) vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. An attacker can exploit this vulnerability by sending a crafted POST request to the /waf/<service>/<server_ip>/rule/<rule_id>/save endpoint, which allows them to write arbitrary content to any file on the load balancer's filesystem. By choosing a filename like 92etc92cron.d92nginx_cfg_evil, an attacker can drop a cron entry on the load balancer with attacker-controlled content, leading to full RCE on every load balancer the caller's group manages.

Vendor
roxy-wi
Product
Unknown
CVSS
CRITICAL 9.9
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-10
Original CVE updated
2026-06-10
Advisory published
2026-06-10
Advisory updated
2026-06-10

Who should care

Administrators and users of Roxy-WI, particularly those managing load balancers, should be aware of this vulnerability and take immediate action to patch or mitigate it.

Technical summary

The vulnerability is caused by inadequate validation of the config_file_name form field in the POST /waf/<service>/<server_ip>/rule/<rule_id>/save endpoint. The validation chain only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, allowing an attacker to build any absolute path anywhere on the LB filesystem.

Defensive priority

High

Recommended defensive actions

  • Upgrade to a patched version of Roxy-WI, if available.
  • Restrict access to the /waf/<service>/<server_ip>/rule/<rule_id>/save endpoint.
  • Monitor for suspicious activity on the load balancer's filesystem and cron jobs.

Evidence notes

The CVE record and NVD detail provide evidence of the vulnerability's existence and its critical severity.

Official resources

CVE-2026-45556 was published on 2026-06-10T15:16:36.457Z and modified on 2026-06-10T19:37:41.437Z.