Roxy-WI: 14 Vulnerabilities Disclosed Together, Including Critical Flaws

Key findings

• 14 vulnerabilities disclosed for Roxy-WI on June 10, 2026.
• Includes multiple Critical (9.9 CVSSv3) and High (8.1-8.8 CVSSv3) severity flaws.
• Vulnerabilities affect versions 8.2.6.4 and prior.
• Issues include authentication bypass, path manipulation, and XSS risks.
• Critical flaws allow arbitrary file path writes and unvalidated config injections.

Roxy-WI Hit by Large Disclosure of 14 Vulnerabilities

On June 10, 2026, a significant cluster of 14 vulnerabilities was disclosed for Roxy-WI, a web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerabilities, affecting versions 8.2.6.4 and earlier, range in severity from medium to critical, with several high-severity flaws also present. This coordinated disclosure event highlights potential risks for users who have not yet updated their Roxy-WI installations.

Authentication and Authorization Bypass

Several vulnerabilities revolve around authentication and authorization bypass. CVE-2026-45567, rated High (8.3 CVSSv3), allows for an authentication bypass via an 'api' substring in the URL combined with an unauthenticated request to /api/gpt. Additionally, CVE-2026-45563 (Medium, 4.3 CVSSv3) permits any authenticated user to access history data for any server by reusing the server_ip path parameter without proper authorization checks. CVE-2026-45552 (Critical, 9.9 CVSSv3) involves an incomplete JWT authentication check on the install blueprint, potentially allowing unauthorized access to installation endpoints. Similarly, CVE-2026-45549 (High, 8.5 CVSSv3) lacks sufficient role and group ownership checks for server actions.

Configuration and Path Manipulation

Other vulnerabilities center on insecure handling of configuration files and path parameters. CVE-2026-45569 (High, 8.1 CVSSv3) stems from an incomplete validation in config.py related to configuration file names. CVE-2026-45565 (High, 8.1 CVSSv3) points to issues with the EscapedString Pydantic validator used on various fields, including SSH credential names. A critical vulnerability, CVE-2026-45556 (Critical, 9.9 CVSSv3), allows for arbitrary file path manipulation via the config_file_name form field in the WAF rule save endpoint, potentially leading to unauthorized file overwrites. Another critical flaw, CVE-2026-45558 (Critical, 9.9 CVSSv3), involves unvalidated and unescaped JSON option fields in HAProxy section-save endpoints, enabling injection attacks.

Cross-Site Scripting and Input Validation Issues

Several issues relate to cross-site scripting (XSS) and inadequate input validation. CVE-2026-45566 (Medium, 6.1 CVSSv3) describes a login flow that allows redirection to malicious URLs due to insufficient sanitization of next_url parameters. CVE-2026-45560 (Medium, 6.1 CVSSv3) involves the construction of raw HTML via string concatenation without proper escaping in wrap_line and highlight_word functions, potentially leading to XSS. CVE-2026-45559 (Medium, 4.9 CVSSv3) details an LDAP search filter construction via f-string concatenation using a verbatim username path parameter, risking LDAP injection. CVE-2026-45552 (Critical, 9.9 CVSSv3) also touches upon issues within the install blueprint, which could be exploited.

Impact and Remediation

The disclosed vulnerabilities, particularly the critical ones like CVE-2026-45556 and CVE-2026-45558, could allow attackers to gain unauthorized access, execute arbitrary code, or manipulate critical server configurations. The wide range of issues suggests a need for thorough review and patching by all Roxy-WI users. At the time of this disclosure, specific patch versions are not detailed for all CVEs, but the affected versions are consistently noted as 8.2.6.4 and prior. Users are strongly advised to consult official Roxy-WI advisories and apply any available updates immediately to mitigate these risks.

This concentrated disclosure event underscores the importance of staying current with security updates for management interfaces like Roxy-WI, which often have privileged access to underlying server infrastructure.