External risk intelligence

Roxy-WI HAProxy Configuration Injection Leads to Remote Code Execution

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-45558

Roxy-WI, a web interface for managing network servers, contains a vulnerability allowing an authenticated user to inject arbitrary HAProxy directives. This can lead to remote code execution on load balancers by executing commands as the HAProxy user during health checks, as input is not properly validated before config

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-45558

Roxy-WI is a management interface specifically designed for web servers and load balancers. As a centralized administrative web portal used to configure network infrastructure, it is commonly deployed as an externally accessible or internet-facing service to facilitate remote management of infrastructure components.

PCI scan relevance

PCI Relevance for CVE-2026-45558

Yes

CVE-2026-45558 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability in Roxy-WI allows an authenticated user to inject arbitrary HAProxy directives, leading to remote code execution on the load balancer. The critical severity warrants a PCI scan relevance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

Roxy-WI, a tool for managing critical network servers, has a vulnerability that could allow an authenticated user to execute commands remotely on managed load balancers. This occurs because certain configuration inputs are not properly validated before being applied, potentially leading to the injection of malicious directives. The main concern is confirming relevance and exposure to ensure affected systems are identified.

Unvalidated configuration allows remote command execution.
Impacts management of key network infrastructure.
Assess relevance and exposure promptly.

Attack Path

How an attacker could exploit the issue

An attacker with a low-level user role in Roxy-WI can inject malicious commands into the server's HAProxy configuration. This is possible because the `section-save` endpoints do not properly validate or escape user-supplied options. When Roxy-WI pushes this modified configuration to the load balancer and restarts HAProxy, the injected commands execute with the privileges of the HAProxy user during health checks.

Authenticated user with low privileges.
Sending crafted JSON to API endpoints.
Remote code execution on the load balancer.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an authenticated user with a low-level role to inject malicious commands into the HAProxy configuration. When the HAProxy service reloads, these commands could be executed with the privileges of the HAProxy user on the load balancer, potentially leading to remote code execution.

Load balancer configuration and code execution.
Injecting directives via unvalidated JSON input.
Compromise of the load balancer service.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world action for this vulnerability likely falls to infrastructure or platform teams responsible for managing Roxy-WI and the load balancers it configures. The first critical step is to identify all instances of Roxy-WI, confirm which load balancers are managed by each instance, and assess the business criticality and exposure of those load balancers. Subsequently, owners of affected load balancers must be identified to plan coordinated remediation efforts, considering that public patches are not yet available.

Identify affected Roxy-WI instances.
Verify load balancer reachability and criticality.
Plan coordinated remediation with owners.

Frequently asked questions

What is Roxy-WI and how is it used?

Roxy-WI is a centralized management interface designed to simplify the administration of load balancing and web server infrastructure, including HAProxy, Nginx, Apache, and Keepalived. Organizations use it as a dashboard to configure, monitor, and deploy settings across their servers, acting as a control plane for these critical network components.

What is the vulnerability in CVE-2026-45558?

This vulnerability is an improper input validation issue, specifically categorized under weaknesses like CWE-77 (Command Injection) and CWE-94 (Code Injection). In plain terms, the Roxy-WI interface fails to check or clean JSON data sent to certain configuration endpoints. This allows an attacker to insert malicious text that the system mistakenly treats as valid configuration instructions, which are then written into server files and executed.

How can an attacker trigger this CVE-2026-45558 flaw?

An attacker needs an authenticated account with at least a low-level user role (role ≤ 3) within Roxy-WI to interact with the vulnerable API endpoints. The trigger involves sending a crafted JSON payload containing malicious directives to the HAProxy section-save endpoints. Simply viewing the interface or having read-only access does not trigger the bug; the attacker must be able to perform a save operation that forces the system to regenerate and push a new configuration.

Why is this CVE-2026-45558 issue highly relevant?

According to Halo Surface Signal, Roxy-WI is a centralized management portal often deployed in internet-facing configurations for remote access. Because this vulnerability allows remote code execution on the load balancers managed by the interface, it poses a significant risk. If your Roxy-WI instance is reachable from the internet, the potential for unauthorized access to the underlying network infrastructure is substantially increased.

How should I respond to CVE-2026-45558?

Since no public patches are currently available, focus on containment and visibility. Start by identifying all active instances of Roxy-WI in your environment and cataloging every load balancer they manage. Assess the risk level of these specific systems and coordinate with your infrastructure teams to restrict access to the Roxy-WI interface to only trusted internal networks until a formal update is released to address the input validation defect.

References

github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w2x4-66jj-3597

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.