PatchSiren cyber security CVE debrief
CVE-2026-45558 roxy-wi CVE debrief
CVE-2026-45558 is a critical vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. An authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the configuration, leading to remote code execution on the load balancer as the haproxy user.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Roxy-WI, particularly those with role ≤ 3 (user), should be aware of this vulnerability and take immediate action to mitigate it.
Technical summary
The HAProxy section-save endpoints in Roxy-WI versions 8.2.6.4 and prior accept a JSON option field that is not validated or escaped. This allows an authenticated user to inject arbitrary HAProxy directives into the configuration, which is then pushed to the load balancer and executed.
Defensive priority
High
Recommended defensive actions
- Upgrade to a patched version of Roxy-WI, if available.
- Restrict access to the HAProxy section-save endpoints to authorized users only.
- Monitor HAProxy configurations for suspicious changes.
Evidence notes
CVE-2026-45558 has a CVSS score of 9.9 and is considered CRITICAL. The vulnerability was published on 2026-06-10T15:16:36.600Z and last modified on 2026-06-10T19:37:41.437Z.
Official resources
-
CVE-2026-45558 CVE record
CVE.org
-
CVE-2026-45558 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45558 was publicly disclosed on [2026-06-10](https://www.cve.org/CVERecord?id=CVE-2026-45558).