HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45569Published Modified CNA GitHub_M

CVE-2026-45569: Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment — '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A path-traversal vulnerability exists in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers, affecting versions 8.2.6.4 and prior. The flaw stems from a defective security patch: the check `'..' in (a, b, c)` tests tuple membership rather than substring containment, meaning any real path-traversal payload (such as `../../etc/passwd`) bypasses the guard silently. An authenticated attacker reachable over the network can read arbitrary files on the host and tamper with configuration data. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images automatically. Any image carrying an affected version of roxy-wi (8.2.6.4 or earlier) is flagged without requiring manual intervention.

Available
Triage

HarborGuard scores this CVE at 8.1 HIGH using the published CVSS v3.1 vector and can weight that score against each customer organization's own compliance policy to determine urgency and routing. Alerts are directed to the appropriate team inbox within each org based on policy configuration, so the right engineers see it without manual triage.

Available
Patch

Because no fix version has been published upstream as of the CVE publication date, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without delay once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Roxy-WI web interface over the network; the service must be accessible from the attacker's position (AV:N).

  • AuthenticationRequired

    A valid low-privilege account is sufficient; no administrator or elevated credentials are needed to trigger the path-traversal (PR:L).

  • Victim interactionNot required

    No victim action such as clicking a link or opening a file is needed; the attacker sends the malicious request directly (UI:N).

  • Attack complexityDetail

    Exploitation is reliable and condition-free; no race conditions, memory-layout dependencies, or special environmental state are required (AC:L).

Blast Radius

  • An attacker reads arbitrary files accessible to the Roxy-WI process, including configuration files, credentials, private keys, and secrets stored on the host filesystem.
  • An attacker writes or overwrites configuration files for managed services (HAProxy, Nginx, Apache, Keepalived), potentially altering routing rules, access controls, or TLS settings across the managed fleet.
  • Manipulated service configurations can be used to redirect traffic, disable TLS verification, or introduce backdoor listener rules into managed load balancers and web servers.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously because no upstream patch exists at time of publication. HarborGuard re-evaluates the advisory on every ingest cycle, so the moment a fix version is published, a patched-image rebuild becomes available and, for customers with auto-remediation enabled, a rebuild plus regression run plus PR against affected workloads is initiated automatically. While no upstream fix exists, customers running affected Roxy-WI deployments should consider compensating controls: restrict network access to the Roxy-WI interface using Kubernetes NetworkPolicy or firewall rules so only trusted source IPs can reach it; apply egress filtering to limit what the process can read or exfiltrate; and audit which accounts hold credentials to the interface, reducing the pool of users whose sessions could be leveraged. HarborGuard will surface the patched rebuild as soon as it is available without requiring any manual configuration change from customers.

See how HarborGuard automates this
Affected packages
  • roxy-wi / roxy-wi
    <= 8.2.6.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
References