CVE-2026-45558

An authenticated user with a role of 3 or lower can send a POST request to the HAProxy section-save endpoints or a PUT request to the global/defaults variants. This request includes a JSON payload with an unescaped 'option' field. The application then renders this field verbatim into the HAProxy configuration, which is subsequently pushed to the load balancer and reloaded. This allows an attacker to inject malicious HAProxy directives, such as `option external-check` followed by `external-check command /bin/bash -c '...'`, enabling remote code execution on the load balancer as the haproxy user [ref_id=1].

The vulnerability lies within the HAProxy section-save endpoints, specifically the POST /api/service/haproxy/<server_id>/section/<section_type> and PUT /global/defaults variants. The 'option' field in the HaproxyConfigRequest, HaproxyGlobalRequest, and HaproxyDefaultsRequest models is not validated or escaped. This unvalidated input is then rendered into the HAProxy configuration via the section.j2, global.j2, and defaults.j2 Ansible templates [ref_id=1].

The advisory does not specify any patches. However, it recommends several remediation steps. These include rejecting newlines and HAProxy-meaningful characters in free-text fields, enforcing an allow-list of permitted directive prefixes for the 'option' field, or rendering directives from a structured model instead of free text. Additionally, it suggests defense in depth on the load balancer side by performing configuration syntax checks before reloading [ref_id=1].

The reference write-up provides a detailed proof of concept, including Jinja2 rendering of the template with malicious input and an end-to-end HTTP PoC using curl to demonstrate the RCE by injecting a command that calls back to an attacker-controlled server [ref_id=1].