Main Vulnerability Database Vulnerabilities #VU131611

Input validation error in Roxy-WI - CVE-2026-45558

Published: May 16, 2026

Vulnerability identifier: #VU131611

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-45558

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Roxy-WI

Affected software:
Roxy-WI

Detailed vulnerability description

The vulnerability allows a remote user to execute arbitrary code on managed HAProxy load balancers.

The vulnerability exists due to improper input validation in the HAProxy section-save endpoints and related Ansible templates when processing the JSON option field and rendering generated HAProxy configuration. A remote user can submit a specially crafted option value containing injected HAProxy directives to execute arbitrary code on managed HAProxy load balancers.

The injected directives are pushed to the load balancer configuration and executed after HAProxy is reloaded, and the resulting code runs as the haproxy user.

How to mitigate CVE-2026-45558

Install security update from vendor's website.

Sources

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w2x4-66jj-3597

Input validation error in Roxy-WI - CVE-2026-45558

Detailed vulnerability description

How to mitigate CVE-2026-45558

Sources

Please verify you're human