CVE-2026-45564— Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save)
Possible ATT&CK Techniques 2AI
T1059 · Command and Scripting Interpreter T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45564
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versions/.../save)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, POST /config/versions/<service>/<server_ip>/<configver>/save interpolates the URL-path configver parameter directly into a config-version path that ends up at os.system(f"dos2unix -q {cfg}"). configver is not run through EscapedString (Pydantic doesn't validate path segments declared as str) and the surrounding .. block is the broken tuple-membership patch from GHSA-vapt-004. An authenticated user with role <= 3 ("user") therefore reaches a bin/sh -c command-injection sink. At time of publication, there are no publicly available patches.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
OS命令中使用的特殊元素转义处理不恰当(OS命令注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Roxy-WI 操作系统命令注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Roxy-WI是Roxy-WI开源的一款用于管理 Haproxy、Nginx 和 Keepalived 服务器的 Web 界面。 Roxy-WI 8.2.6.4及之前版本存在操作系统命令注入漏洞,该漏洞源于POST /config/versions/路由将configver参数直接插入到os.system调用中,可能导致认证用户执行命令注入。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45564
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7137 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-45564
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45564 (1)
Same Patch Batch · roxy-wi · 2026-06-10 · 14 CVEs total
| CVE-2026-45556 | 9.9 CRITICAL | Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream |
| CVE-2026-45558 | 9.9 CRITICAL | Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field confi |
| CVE-2026-45552 | 9.9 CRITICAL | Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on |
| CVE-2026-45550 | 9.1 CRITICAL | Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/bod |
| CVE-2026-45549 | 8.5 HIGH | Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or rest |
| CVE-2026-45567 | 8.3 HIGH | Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt |
| CVE-2026-45569 | 8.1 HIGH | Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug) |
| CVE-2026-45565 | 8.1 HIGH | Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for sever |
| CVE-2026-45561 | 6.5 MEDIUM | Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs |
| CVE-2026-45566 | 6.1 MEDIUM | Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass |
| CVE-2026-45560 | 6.1 MEDIUM | Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML) |
| CVE-2026-45559 | 4.9 MEDIUM | Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only) |
| CVE-2026-45563 | 4.3 MEDIUM | Roxy-WI: IDOR — any authenticated user can read another user's full action history |
IV. Related Vulnerabilities
Same product: roxy-wi
- CVE-2026-45569
Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op - CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45563
Roxy-WI: IDOR — any authenticated user can read another user
Same vendor: roxy-wi
- CVE-2026-45569
Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op - CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45563
Roxy-WI: IDOR — any authenticated user can read another user
Same weakness: CWE-78
V. Comments for CVE-2026-45564
No comments yet