HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45565Published Modified CNA GitHub_M

CVE-2026-45565: Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for several path-traversal/RCE vectors)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, EscapedString (app/modules/roxywi/class_models.py:16-30) is the centralised Pydantic validator used on dozens of fields including SSH credential name, username, description, etc. Its if/elif/elif/else flow returns the metacharacter-stripped value without also enforcing the .. block. An attacker who appends a single ;, &, |, $, or backtick to a .. payload routes the value through the strip arm, where .. survives unblocked and the result is not shlex.quote()'d either. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path-traversal and remote code execution vulnerability exists in Roxy-WI, a web management interface for HAProxy, Nginx, Apache, and Keepalived servers. The flaw is reachable over the network by any authenticated low-privilege user, with no victim interaction required, because the centralized EscapedString Pydantic validator in class_models.py routes crafted input through a metacharacter-stripping branch that leaves directory-traversal sequences intact and unquoted. Successful exploitation allows an attacker to read sensitive files from the host or execute arbitrary commands, resulting in full confidentiality and integrity compromise of the underlying system. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-45565 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI pipelines, including custom-built images that package Roxy-WI directly. Any image containing roxy-wi at version 8.2.6.4 or earlier is flagged automatically.

Available
Triage

Triage is available using the CVSS v3.1 score of 8.1 (HIGH), weighted against each customer organization's compliance policy to determine urgency and escalation path. Findings are routed to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published as of the CVE record date, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream patch is released. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a pull request opened against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Roxy-WI web interface over the network; the service is exposed via HTTP/HTTPS and no local or physical access is assumed.

  • AuthenticationRequired

    Any low-privilege account is sufficient; the attacker must be authenticated to the Roxy-WI interface but does not need administrative rights.

  • Victim interactionNot required

    No victim interaction is needed; the attacker submits a crafted payload directly to the vulnerable API fields without requiring any other user to take action.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no race conditions, memory-layout knowledge, or other environmental preconditions beyond a valid low-privilege session.

Blast Radius

  • Reads arbitrary files from the host filesystem, including SSH private keys, configuration files with embedded credentials, and OS-level secrets reachable through the traversal path.
  • Executes arbitrary shell commands on the server running Roxy-WI by injecting payloads through the unquoted, traversal-surviving EscapedString output passed to shell invocations.
  • Modifies or overwrites server-side configuration files for HAProxy, Nginx, Apache, or Keepalived, disrupting or redirecting proxied traffic.
  • Pivots laterally to backend infrastructure servers whose SSH credentials are stored within Roxy-WI, given the attacker can read and exfiltrate those credentials.

How HarborGuard Handles This

Available on HarborGuard: any image containing roxy-wi at version 8.2.6.4 or earlier is flagged at ingestion time against this CVE record, with findings routed per each customer org's compliance policy. Because no upstream patch exists at publication time, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically once the maintainers ship a fix. For customers with auto-remediation enabled, that rebuild triggers a regression-test run and a PR opened against affected workloads without requiring manual steps. While no patch is available, recommended compensating controls include applying network policy to restrict access to the Roxy-WI interface to trusted source IPs only, enforcing egress filtering on the host to limit the impact of any command execution, and reviewing Roxy-WI role assignments to ensure no unintended accounts hold authenticated access to the interface.

See how HarborGuard automates this
Affected packages
  • roxy-wi / roxy-wi
    <= 8.2.6.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References