CVE-2026-45569 HIGH

CVE-2026-45569: Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)

Vendor Roxy-Wi
Product roxy-wi
Weakness CWE-22 · Path traversal
Published June 10, 2026
Last update June 11, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

What the vulnerability does

01Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, ommit d4d10006 ("Expand validation to block .. in config_file_name and configver for improved security") added a line in app/modules/config/config.py:462. This is tuple-membership, not substring containment — '..' in (a, b, c) evaluates to True only if any of a, b, c is equal to the literal string '..'. For any realistic path-traversal payload (../../etc/passwd, ..\\..\\etc\\passwd, etc.) the check returns False and the patch silently lets the payload through. At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 11, 2026 Record updated