How is CVE-2026-45564 exploited?

Network reachability (required): The Roxy-WI web interface must be reachable over the network; an attacker sends a crafted HTTP POST request to the vulnerable endpoint from any network-accessible client. Authentication (required): A valid account with role 3 (standard user) or lower is sufficient; no administrative or elevated privileges are needed beyond basic login. Victim interaction (not-required): The attacker sends the malicious request directly to the server; no action by another user or administrator is needed. Attack complexity (info): Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required to trigger the command injection.

What is the impact of CVE-2026-45564?

Executes arbitrary operating system commands under the process identity of the Roxy-WI service, giving the attacker a remote shell on the host. Reads all files accessible to the service process, including stored HAProxy, Nginx, Apache, and Keepalived configuration files, secrets, and credentials. Modifies or overwrites server configuration files, allowing silent reconfiguration of load balancers and proxies managed through the interface. Crashes or disrupts the Roxy-WI service and any managed backend services by corrupting configuration state or terminating processes.

Back to search

HIGHCVE-2026-45564Published 2026-06-10Modified 2026-06-10CNA GitHub_M

CVE-2026-45564: Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save)

Q: What is CVE-2026-45564?

Authenticated remote code execution (RCE) via OS command injection in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The vulnerability is reachable over the network by any authenticated user holding a low-privilege role (role 3 or below); the configver URL path parameter is passed unsanitized into an os.system() call, giving an attacker a direct shell command injection sink. Successful exploitation gives the attacker full control over the host: arbitrary command execution, access to all data the process can read, and the ability to modify or destroy configuration and state. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

Q: Is CVE-2026-45564 patched?

Because no upstream fix version has been published for CVE-2026-45564, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention.

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Authenticated remote code execution (RCE) via OS command injection in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The vulnerability is reachable over the network by any authenticated user holding a low-privilege role (role 3 or below); the configver URL path parameter is passed unsanitized into an os.system() call, giving an attacker a direct shell command injection sink. Successful exploitation gives the attacker full control over the host: arbitrary command execution, access to all data the process can read, and the ability to modify or destroy configuration and state. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-45564 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built images that bundle Roxy-WI at version 8.2.6.4 or earlier.

Available

Triage

Triage is available using the CVSS v3.1 base score of 8.8 (HIGH), weighted further by each customer environment's compliance policy configuration; findings are routed to the appropriate team inbox within each customer org based on severity thresholds and ownership mappings.

Available

Patch

Because no upstream fix version has been published for CVE-2026-45564, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without requiring manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The Roxy-WI web interface must be reachable over the network; an attacker sends a crafted HTTP POST request to the vulnerable endpoint from any network-accessible client.
AuthenticationRequired
A valid account with role 3 (standard user) or lower is sufficient; no administrative or elevated privileges are needed beyond basic login.
Victim interactionNot required
The attacker sends the malicious request directly to the server; no action by another user or administrator is needed.
Attack complexityDetail
Exploitation is reliable and condition-free; no race condition, memory layout dependency, or special environmental state is required to trigger the command injection.

Blast Radius

Executes arbitrary operating system commands under the process identity of the Roxy-WI service, giving the attacker a remote shell on the host.
Reads all files accessible to the service process, including stored HAProxy, Nginx, Apache, and Keepalived configuration files, secrets, and credentials.
Modifies or overwrites server configuration files, allowing silent reconfiguration of load balancers and proxies managed through the interface.
Crashes or disrupts the Roxy-WI service and any managed backend services by corrupting configuration state or terminating processes.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-45564 is active and will flag any image in a customer registry or pipeline that ships Roxy-WI at version 8.2.6.4 or earlier. Because no upstream patch exists at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment a fixed version is released by the maintainers. In the interim, compensating controls available for consideration include isolating the Roxy-WI management interface behind a network policy that restricts inbound access to trusted operator subnets only, applying egress filtering on the host to limit the blast radius of any command execution, and auditing user accounts to reduce the population of accounts with role 3 access. For customers with auto-remediation enabled, once a fix version is published, HarborGuard will trigger a rebuild, run regression tests against the updated image, and open a PR against affected workloads automatically.

See how HarborGuard automates this

Affected packages

roxy-wi / roxy-wi
<= 8.2.6.4

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w42x-3v8j-cmg2

Metrics

Get notified