CVE-2026-45569— Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45569
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment — '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Roxy-WI 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Roxy-WI是Roxy-WI开源的一款用于管理 Haproxy、Nginx 和 Keepalived 服务器的 Web 界面。 Roxy-WI 8.2.6.4及之前版本存在路径遍历漏洞,该漏洞源于路径遍历检查使用元组成员测试而非子串包含,可能导致攻击者绕过路径遍历防护。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45569
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
Qwen3.6-35B-A3B · 6125 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-45569
请登录查看更多情报信息。
Patches & Fixes for CVE-2026-45569 (2)
Same Patch Batch · roxy-wi · 2026-06-10 · 14 CVEs total
| CVE-2026-45556 | 9.9 CRITICAL | Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream |
| CVE-2026-45558 | 9.9 CRITICAL | Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field confi |
| CVE-2026-45552 | 9.9 CRITICAL | Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on |
| CVE-2026-45550 | 9.1 CRITICAL | Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/bod |
| CVE-2026-45564 | 8.8 HIGH | Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versio |
| CVE-2026-45549 | 8.5 HIGH | Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or rest |
| CVE-2026-45567 | 8.3 HIGH | Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt |
| CVE-2026-45565 | 8.1 HIGH | Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for sever |
| CVE-2026-45561 | 6.5 MEDIUM | Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs |
| CVE-2026-45566 | 6.1 MEDIUM | Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass |
| CVE-2026-45560 | 6.1 MEDIUM | Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML) |
| CVE-2026-45559 | 4.9 MEDIUM | Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only) |
| CVE-2026-45563 | 4.3 MEDIUM | Roxy-WI: IDOR — any authenticated user can read another user's full action history |
IV. Related Vulnerabilities
Same product: roxy-wi
- CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45564
Roxy-WI: Authenticated RCE via 'configver' URL parameter (os - CVE-2026-45563
Roxy-WI: IDOR — any authenticated user can read another user
Same vendor: roxy-wi
- CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45564
Roxy-WI: Authenticated RCE via 'configver' URL parameter (os - CVE-2026-45563
Roxy-WI: IDOR — any authenticated user can read another user
Same weakness: CWE-22
- CVE-2026-54223
Remote Code Execution via arbitrary file read and write in U - CVE-2026-8811
Path traversal in PDF generation module - CVE-2026-48768
TypeBot: Unauthenticated arbitrary s3 object write in genera - CVE-2026-12568
Arbitrary File Write in postman_download module - CVE-2026-12565
Path Traversal (Zip-Slip) in unarchive module
V. Comments for CVE-2026-45569
No comments yet