VYPR
← All advisories
High severity8.1NVD Advisory· Published Jun 10, 2026

CVE-2026-45569

CVE-2026-45569

Description

Roxy-WI versions prior to 8.2.6.4 are vulnerable to path traversal due to a flawed patch, allowing arbitrary file reads.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roxy-WI versions prior to 8.2.6.4 are vulnerable to path traversal due to a flawed patch, allowing arbitrary file reads.

Vulnerability

Roxy-WI versions 8.2.6.4 and prior are affected by a path traversal vulnerability. A security patch introduced in commit d4d10006 [2] incorrectly checked for path traversal sequences by using tuple membership ('..' in (a, b, c)) instead of substring containment (any('..' in x for x in (a, b, c))). This flaw means that payloads like ../../etc/passwd are not detected, allowing them to be processed by the application [1].

Exploitation

An attacker needs an authenticated role (less than or equal to 3) to exploit this vulnerability. The attacker can send a POST request to /config/versions//<server_ip>//save with a crafted configver parameter containing a path traversal sequence. This request is handled by the save_version function, which calls upload_and_restart and get_config, ultimately leading to the vulnerable check at app/modules/config/config.py:462 [1].

Impact

Successful exploitation allows an attacker to read arbitrary files from the Roxy-WI host. A particularly sensitive target is the JWT private key located at /var/lib/roxy-wi/keys/roxy-wi-key, which could lead to further compromise [1].

Mitigation

There are no publicly available patches for this vulnerability at the time of publication. Users are advised to monitor the Roxy-WI GitHub repository for updates [1].

References
  1. Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug)
  2. Expand validation to block `..` in `config_file_name` and `configver`… · roxy-wi/roxy-wi@d4d1000

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Roxy Wi/Roxy Wireferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: <=8.2.6.4

Patches

1
d4d10006

Expand validation to block `..` in `config_file_name` and `configver` for improved security.

https://github.com/roxy-wi/roxy-wiAidahoMar 20, 2026via nvd-ref
commit
1 file changed · +1 1
  • app/modules/config/config.py+1 1 modified
    @@ -459,7 +459,7 @@ def show_config(server_ip: str, service: str, config_file_name: str, configver:
 	else:
 		config_file_name = ''
 
-	if '..' in configs_dir:
+	if '..' in (configs_dir, config_file_name, configver):
 		raise Exception('error: nice try')
 
 	if configver is None:

Vulnerability mechanics

Root cause

"A flawed path-traversal check in the configuration saving functionality allows arbitrary file reads."

Attack vector

An attacker with an admin role, or any user with a role less than or equal to 3, can exploit this vulnerability. The attacker sends a POST request to the `/config/versions/<service>/<server_ip>/<configver>/save` endpoint. This request includes a crafted `configver` value containing a path-traversal payload, such as '../../etc/passwd'. The vulnerable code then attempts to open a file at a location derived from this payload, leading to arbitrary file read.

Affected code

The vulnerability resides in the `app/modules/config/config.py` file, specifically at line 462, where a check intended to prevent path traversal is implemented. This check is called during the `save_version()` function in `app/routes/config/routes.py` and subsequently by `upload_and_restart()` and `get_config()` within `app/modules/config/config.py`.

What the fix does

The advisory indicates that no patches are publicly available at the time of publication. The proposed fix involves correcting the path-traversal check to properly identify '..' within the configuration parameters, rather than relying on a faulty tuple-membership check. A more robust solution would involve normalizing the path and verifying it resides within the expected configuration directory.

Preconditions

  • authAttacker must have an admin role or a role less than or equal to 3.

Reproduction

The bug is provable purely in Python: python3 -c " configs_dir = '/var/lib/roxy-wi/configs/' config_file_name = '../../etc/passwd' configver = '../../etc/passwd' print('Buggy patch (tuple membership): ', '..' in (configs_dir, config_file_name, configver)) print('Correct fix (any substring): ', any('..' in x for x in (configs_dir, config_file_name, configver))) " Live output: Buggy patch (tuple membership): False Correct fix (any substring): True

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

2

News mentions

1