HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45558Published Modified CNA GitHub_M

CVE-2026-45558: Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages — including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a configuration-injection vulnerability in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. An authenticated attacker with any standard user account (role level 3 or below) can send a crafted JSON payload to the HAProxy section-save API endpoints; the unvalidated option field is written verbatim into generated HAProxy configuration files, which are then pushed to managed load balancers and reloaded. Successful exploitation gives the attacker remote code execution as the haproxy OS user on every load balancer the attacker's group manages. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment the upstream project publishes a fix.

HarborGuard Coverage

Detection

Detection capability for CVE-2026-45558 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Roxy-WI. Any image at or below version 8.2.6.4 is flagged automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 9.9 Critical and weights it further against each environment's compliance policy before routing the alert to the appropriate team inbox. Because no fix version exists yet, the finding is surfaced with a "no patch available" marker to help prioritizers distinguish it from actionable patch-ready findings.

Available
Patch

Because no upstream fix has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available at the fixed version the moment one is released. For customers with auto-remediation enabled, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The Roxy-WI management interface must be reachable over the network; the attacker sends crafted HTTP requests to the section-save API endpoints remotely.

  • AuthenticationRequired

    A valid Roxy-WI account is needed, but any low-privilege user account with role level 3 (standard user) or below is sufficient.

  • Victim interactionNot required

    No victim interaction is needed; the attacker's API request directly triggers config generation and reload on the load balancers.

  • Attack complexityDetail

    Attack complexity is low: no race conditions or special environmental conditions are required, and the injection is reliably triggered by a single well-formed API call.

Blast Radius

  • Executes arbitrary OS commands as the haproxy user on every HAProxy load balancer managed by the attacker's Roxy-WI group, on each health-check tick after config reload.
  • Reads secrets, certificates, and configuration data accessible to the haproxy process on affected load balancers, including proxied traffic metadata.
  • Modifies or corrupts the running HAProxy configuration, enabling traffic redirection, rule removal, or denial of service for workloads behind those load balancers.
  • Provides a foothold on the load-balancer host that can be used to pivot toward internal network segments the load balancer is positioned to reach.

How HarborGuard Handles This

Available on HarborGuard: detection is active for any image shipping Roxy-WI at or below version 8.2.6.4, with findings surfaced as Critical and marked "no patch available" until upstream publishes a fix. Because there is no published fix at this time, HarborGuard monitors the advisory feed on every ingest cycle and will trigger the rebuild-and-PR flow automatically for customers with auto-remediation enabled the moment a patched version is released. In the interim, compensating controls worth considering include network-policy isolation that restricts access to the Roxy-WI management interface to a named set of trusted source IPs, egress filtering on load-balancer hosts to block unexpected outbound connections initiated by the haproxy process, and auditing Roxy-WI user accounts to remove or downgrade any accounts that do not require section-save access. Customers with a feature-flag or WAF layer in front of the management interface can also consider blocking POST and PUT requests to the /api/service/haproxy/*/section/* path patterns as a short-term mitigation.

See how HarborGuard automates this
Affected packages
  • roxy-wi / roxy-wi
    <= 8.2.6.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References