CVE-2026-45558— Roxy-WI 输入验证错误漏洞
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing Application新しい脆弱性情報の通知を購読するログインして購読
I. CVE-2026-45558の基本情報
脆弱性情報
脆弱性についてご質問がありますか?Shenlongの分析が参考になるかご確認ください!
Shenlongの10の質問を表示 ↗ 高度な大規模言語モデル技術を使用していますが、出力には不正確または古い情報が含まれる可能性があります。Shenlongはデータの正確性を確保するよう努めていますが、実際の状況に基づいて検証・判断してください。
脆弱性タイトル
Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field config injection in section save
ソース: NVD (National Vulnerability Database)
脆弱性説明
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the HAProxy section-save endpoints (POST /api/service/haproxy/<server_id>/section/<section_type> and the PUT / global / defaults variants) accept a JSON option field that is not validated, not escaped, and is rendered verbatim into the generated HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates. Because Roxy-WI then pushes the generated config to the load balancer and runs systemctl reload haproxy, an authenticated user with role ≤ 3 (user) can inject arbitrary HAProxy directives into the config that runs on every load balancer their group manages — including option external-check + external-check command /bin/bash -c '…', which gives remote code execution on the load balancer as the haproxy user on every health-check tick. At time of publication, there are no publicly available patches.
ソース: NVD (National Vulnerability Database)
CVSS情報
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
ソース: NVD (National Vulnerability Database)
脆弱性タイプ
输入验证不恰当
ソース: NVD (National Vulnerability Database)
脆弱性タイトル
Roxy-WI 输入验证错误漏洞
ソース: CNNVD (China National Vulnerability Database)
脆弱性説明
Roxy-WI是Roxy-WI开源的一款用于管理 Haproxy、Nginx 和 Keepalived 服务器的 Web 界面。 Roxy-WI 8.2.6.4及之前版本存在输入验证错误漏洞,该漏洞源于HAProxy部分保存端点接受未验证、未转义的JSON选项字段并直接渲染到生成的HAProxy配置中,认证用户可注入任意HAProxy指令导致远程代码执行。
ソース: CNNVD (China National Vulnerability Database)
CVSS情報
N/A
ソース: CNNVD (China National Vulnerability Database)
脆弱性タイプ
N/A
ソース: CNNVD (China National Vulnerability Database)
影響を受ける製品
II. CVE-2026-45558の公開POC
| # | POC説明 | ソースリンク | Shenlongリンク |
|---|
AI生成POCプレミアム
Qwen3.6-35B-A3B · 4060 文字数
Pro+限定の内容:
脆弱性再現の録画(実際のサンドボックス構築 + トリガー、限定)
脆弱性の原理を深く分析
トリガー条件と影響範囲
完全な実行可能POCコード
攻撃チェーンと緩和策の提案
POCパッケージのダウンロード
月間100件以上のAI生成枠
III. CVE-2026-45558のインテリジェンス情報
请登录查看更多情报信息。
CVE-2026-45558 厂商安全公告 (1)
Same Patch Batch · roxy-wi · 2026-06-10 · 14 CVEs total
| CVE-2026-45556 | 9.9 CRITICAL | Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream |
| CVE-2026-45552 | 9.9 CRITICAL | Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on |
| CVE-2026-45550 | 9.1 CRITICAL | Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/bod |
| CVE-2026-45564 | 8.8 HIGH | Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versio |
| CVE-2026-45549 | 8.5 HIGH | Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or rest |
| CVE-2026-45567 | 8.3 HIGH | Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt |
| CVE-2026-45569 | 8.1 HIGH | Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug) |
| CVE-2026-45565 | 8.1 HIGH | Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for sever |
| CVE-2026-45561 | 6.5 MEDIUM | Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs |
| CVE-2026-45566 | 6.1 MEDIUM | Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass |
| CVE-2026-45560 | 6.1 MEDIUM | Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML) |
| CVE-2026-45559 | 4.9 MEDIUM | Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only) |
| CVE-2026-45563 | 4.3 MEDIUM | Roxy-WI: IDOR — any authenticated user can read another user's full action history |
IV. 関連脆弱性
同じ製品: roxy-wi
- CVE-2026-45569
Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op - CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45564
Roxy-WI: Authenticated RCE via 'configver' URL parameter (os
同じベンダー: roxy-wi
- CVE-2026-45569
Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op - CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45564
Roxy-WI: Authenticated RCE via 'configver' URL parameter (os
同じ弱点: CWE-20
V. CVE-2026-45558へのコメント
まだコメントはありません