CVE-2026-27811 in Roxy-WI
Summary
by MITRE • 03/18/2026
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Prior to version 8.2.6.3, a command injection vulnerability exists in the `/config/compare/<service>/<server_ip>/show` endpoint, allowed authenticated users to execute arbitrary system commands on the app host. The vulnerability exists in `app/modules/config/config.py` on line 362, where user input is directly formatted in the template string that is eventually executed. Version 8.2.6.3 fixes the issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/21/2026
The vulnerability identified as CVE-2026-27811 affects Roxy-WI, a web interface designed for managing critical infrastructure services including HAProxy, Nginx, Apache, and Keepalived servers. This tool serves as a centralized management platform for system administrators who rely on it to configure and monitor their network services. The vulnerability resides within the configuration comparison functionality, specifically in the `/config/compare/<service>/<server_ip>/show` endpoint that allows authenticated users to view configuration differences between systems. The flaw represents a critical security weakness that directly impacts the integrity and security posture of environments relying on this management interface.
The technical implementation of this vulnerability stems from improper input validation and sanitization within the `app/modules/config/config.py` file at line 362. The code directly incorporates user-supplied parameters into a template string without adequate sanitization or escaping mechanisms, creating a classic command injection vulnerability. When an authenticated user accesses the vulnerable endpoint, the system accepts the server_ip parameter and directly formats it into an execution template that eventually gets processed by the operating system. This design pattern violates fundamental security principles and allows malicious actors to inject arbitrary commands that execute with the privileges of the web application process.
The operational impact of this vulnerability extends beyond simple unauthorized command execution, as it provides attackers with significant control over the underlying system hosting the Roxy-WI application. An authenticated attacker could potentially escalate privileges, access sensitive configuration files, modify system settings, or even establish persistent access through the compromised management interface. Given that Roxy-WI typically runs in production environments where it has administrative access to critical network infrastructure, this vulnerability could enable attackers to disrupt services, exfiltrate sensitive data, or gain unauthorized access to the entire network management system. The vulnerability affects all versions prior to 8.2.6.3, indicating a prolonged window during which systems remained exposed to potential exploitation.
The mitigation strategy for this vulnerability requires immediate deployment of version 8.2.6.3 which implements proper input sanitization and parameter validation. Organizations should conduct comprehensive vulnerability assessments to identify systems running affected versions of Roxy-WI and prioritize patching efforts. Additionally, implementing network segmentation and access controls can limit the potential impact of exploitation by restricting access to the management interface. Security monitoring should be enhanced to detect suspicious command execution patterns, and regular security audits should verify that all input parameters are properly sanitized before processing. This vulnerability aligns with CWE-77 and CWE-94 categories, representing command injection flaws that enable arbitrary code execution, and maps to ATT&CK technique T1059.001 for command and scripting interpreter. Organizations should also consider implementing web application firewalls and input validation rules to provide additional defense-in-depth measures against similar injection vulnerabilities in their infrastructure management systems.