How is CVE-2026-45556 exploited?

Network reachability (required): The vulnerable WAF rule save endpoint is exposed over the network, so an attacker must be able to reach the Roxy-WI web interface via HTTP/HTTPS. Authentication (required): A valid Roxy-WI account is required, but any low-privilege account is sufficient; no administrative role is needed. Victim interaction (not-required): The attacker sends a crafted POST request directly to the endpoint; no action from another user is needed. Attack complexity (info): Exploitation is reliable and condition-free: the path-traversal bypass is mechanical and the encoded-slash substitution is applied consistently, so no race conditions or special environmental factors are needed.

What is the impact of CVE-2026-45556?

Writes attacker-controlled file content to any path on the filesystem of every load balancer the compromised account's group manages, subject only to weak substring constraints that are trivially satisfied. Achieves remote code execution as root on affected load balancers by dropping a crafted cron job (for example, to /etc/cron.d/) that the system cron daemon picks up and executes on its next scan cycle. Grants full confidentiality access to all data on the load balancer, including TLS private keys, HAProxy/Nginx configuration secrets, and any credentials stored in config files. Enables persistent tampering with load balancer routing configuration, potentially redirecting or intercepting traffic for all services fronted by the affected infrastructure.

Back to search

CRITICALCVE-2026-45556Published 2026-06-10Modified 2026-06-10CNA GitHub_M

CVE-2026-45556: Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream RCE) via WAF rule save `config_file_name`

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /waf/<service>/<server_ip>/rule/<rule_id>/save accepts a config_file_name form field that is passed straight through to config_mod.master_slave_upload_and_restart(...) as the destination path. The validation chain (_replace_config_path_to_correct → check_is_conf) only requires the path to contain a hard-coded service substring (nginx/haproxy/apache2/httpd/keepalived) and the substring conf or cfg, and to not contain ... The encoded-slash substitution 92 → / is applied before the substring check, so the attacker can build any absolute path anywhere on the LB filesystem as long as it satisfies those substring constraints. The body of the WAF rule (config form field) is written verbatim to that path. By choosing a filename like 92etc92cron.d92nginx_cfg_evil (resolving to /etc/cron.d/nginx_cfg_evil), an attacker drops a cron entry on the load balancer with attacker-controlled content. Cron parses the file on its next scan, executing the embedded job as root — full RCE on every load balancer the caller's group manages. At time of publication, there are no publicly available patches.

CVSS v3.1: 9.9
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authenticated arbitrary file write vulnerability affects Roxy-WI versions 8.2.6.4 and prior, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The flaw is reachable over the network by any low-privilege authenticated user, with no victim interaction required, and exploits a path-traversal bypass in the WAF rule save endpoint. Successful exploitation lets an attacker write attacker-controlled content to arbitrary paths on every load balancer the account manages, enabling full remote code execution as root via cron drop-in. No fix version has been published; HarborGuard tracks this advisory and will make a patched-image rebuild available the moment upstream ships a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-45556 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Roxy-WI, in both registry scans and CI/CD pipeline checks.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.9 (Critical) and weighting that score against each customer environment's compliance policy to route findings to the appropriate team inbox within each organization.

Available

Patch

Because no upstream fix version has been published for CVE-2026-45556, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream project ships a corrected release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable WAF rule save endpoint is exposed over the network, so an attacker must be able to reach the Roxy-WI web interface via HTTP/HTTPS.
AuthenticationRequired
A valid Roxy-WI account is required, but any low-privilege account is sufficient; no administrative role is needed.
Victim interactionNot required
The attacker sends a crafted POST request directly to the endpoint; no action from another user is needed.
Attack complexityDetail
Exploitation is reliable and condition-free: the path-traversal bypass is mechanical and the encoded-slash substitution is applied consistently, so no race conditions or special environmental factors are needed.

Blast Radius

Writes attacker-controlled file content to any path on the filesystem of every load balancer the compromised account's group manages, subject only to weak substring constraints that are trivially satisfied.
Achieves remote code execution as root on affected load balancers by dropping a crafted cron job (for example, to /etc/cron.d/) that the system cron daemon picks up and executes on its next scan cycle.
Grants full confidentiality access to all data on the load balancer, including TLS private keys, HAProxy/Nginx configuration secrets, and any credentials stored in config files.
Enables persistent tampering with load balancer routing configuration, potentially redirecting or intercepting traffic for all services fronted by the affected infrastructure.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45556 is active across all scanned environments, matching any image that includes Roxy-WI at or below version 8.2.6.4. Because the upstream project has not yet published a patch, no automatic rebuild is available at this time. HarborGuard re-checks the advisory on every ingest cycle; for customers who opt into auto-remediation, a rebuilt image, regression test run, and PR against affected workloads will be triggered automatically the moment a fix version is published. While no patch exists, the following compensating controls are worth evaluating: restricting network access to the Roxy-WI management interface via network policy or firewall rules so that only trusted operator IPs can reach it; enforcing the principle of least-privilege on Roxy-WI accounts to limit which load balancer groups each account can manage; and monitoring cron directories on managed load balancers for unexpected file creation. Where compliance policy permits, HarborGuard can surface this CVE as a blocking finding in CI/CD pipelines to prevent promotion of affected images until a patched version is available.

See how HarborGuard automates this

Affected packages

roxy-wi / roxy-wi
<= 8.2.6.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

References

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-85gm-773v-x7m4

Metrics

Get notified