Injection Vulnerability in Roxy-WI Web Interface for HAProxy and Nginx
CVE-2026-45558
9.9CRITICAL
What is CVE-2026-45558?
The Roxy-WI web interface, used for managing HAProxy, Nginx, and Apache servers, is susceptible to an unvalidated JSON input vulnerability. In versions up to 8.2.6.4, certain endpoints allow authenticated users to inject arbitrary HAProxy directives directly into the generated configuration files. This occurs through unescaped input rendering in Ansible templates, enabling potential remote code execution on affected load balancers. As a result, an attacker with a specific user role can exploit this issue to execute commands during health checks, compromising the overall security of the load balancing infrastructure. At the time of this report, no patches are available to mitigate the risk.
Affected Version(s)
roxy-wi <= 8.2.6.4
