Medium severity6.5NVD Advisory· Published Apr 20, 2026· Updated Apr 24, 2026

CVE-2026-33431

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing ../ sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.

Affected products

Roxy Wi/Roxy Wi
cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Range: <8.2.6.4

Patches

d4d100067dd0

Expand validation to block `..` in `config_file_name` and `configver` for improved security.

https://github.com/roxy-wi/roxy-wiAidahoMar 20, 2026via nvd-ref

commit

1 file changed · +1 −1

app/modules/config/config.py+1 −1 modified

@@ -459,7 +459,7 @@ def show_config(server_ip: str, service: str, config_file_name: str, configver:
 	else:
 		config_file_name = ''
 
-	if '..' in configs_dir:
+	if '..' in (configs_dir, config_file_name, configver):
 		raise Exception('error: nice try')
 
 	if configver is None:

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/roxy-wi/roxy-wi/commit/d4d100067dd0ee04317f05d3b51be8fcfdc3f802nvdPatch
github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w3c9-36jf-qrw4nvdExploitVendor Advisory

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000