CVE-2026-33431
MEDIUMRoxy-WI Vulnerable to Authenticated Arbitrary File Read via Path Traversal in Config Version Viewer
Title source: cnaDescription
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.4, the POST /config/<service>/show API endpoint accepts a configver parameter that is directly appended to a base directory path to construct a local file path, which is subsequently opened and its contents returned to the caller. The existing path traversal guard only inspects the base directory variable (which is never user-controlled) and entirely ignores the user-supplied configver value. An authenticated attacker can supply a configver value containing `../` sequences to escape the intended directory and read arbitrary files accessible to the web application process. Version 8.2.6.4 contains a patch for the issue.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w3c9-36jf-qrw4
X_Refsource_Misc x_refsource_misc
https://github.com/roxy-wi/roxy-wi/commit/d4d100067dd0ee04317f05d3b51be8fcfdc3f802
Scores
CVSS v3
6.5
EPSS
0.0039
EPSS Percentile
30.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-24
Status
published
Products (1)
roxy-wi/roxy-wi
< 8.2.6.4 (2 CPE variants)
Published
Apr 20, 2026
Tracked Since
Apr 21, 2026