Skip to main content

Roxy-WI CVE-2026-45549

| EUVD-2026-36036 HIGH
Missing Authorization (CWE-862)
2026-06-10 GitHub_M
Authentication Bypass Nginx Apache
8.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
None
Integrity
Low
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 15:12 vuln.today
CVE Published
Jun 10, 2026 - 13:59 nvd
HIGH 8.5

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only - no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.

Articles & Coverage 1

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026

AnalysisAI

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privilege 'guest' role 4 - to start, stop, or restart the roxy-wi-smon-agent systemd unit on arbitrary managed servers, with the action executing as root via Roxy-WI's passwordless sudo SSH credentials. The flaw stems from missing role and group-ownership checks on the agent_action endpoint, and no public exploit has been identified at time of analysis though the vulnerability is trivially reachable once an account exists.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privilege Roxy-WI account
Delivery
Authenticate and acquire JWT
Exploit
POST to /agent/action/<action> with target server_ip
Install
Bypass missing role and ownership checks
C2
Roxy-WI SSHes to target with passwordless sudo
Execute
systemctl runs as root on victim host
Impact
Disable monitoring or induce service outage
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires (1) a valid Roxy-WI account at any privilege level including the lowest 'guest' role 4, since the only enforced control is @jwt_required(); (2) network reachability to the Roxy-WI web interface and its /agent/action/<action> POST endpoint; and (3) knowledge or guessing of a target server_ip value that Roxy-WI manages. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H scores 8.5 and is consistent with the description: network-reachable endpoint, low complexity, only low privileges required (the guest role qualifies as PR:L), no user interaction, and a scope change because the vulnerable Roxy-WI authorization boundary is crossed to compromise downstream managed servers. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An insider or attacker who has compromised any Roxy-WI account - even a guest with role 4 - authenticates to the web UI, obtains a JWT, and issues an HTTP POST to /agent/action/restart (or stop/start) with the server_ip form field set to a production HAProxy or Nginx host that the user has no legitimate authority over. Roxy-WI's backend opens its privileged SSH session to that target and runs systemctl as root, allowing the attacker to repeatedly stop the smon agent to blind monitoring or restart it to induce flapping and outages. …
Remediation No vendor-released patch identified at time of analysis - the advisory explicitly states no public patches exist as of publication, so administrators should monitor https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-c92j-h72m-ff4j for a fixed release beyond 8.2.6.4. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Identify all Roxy-WI deployments and document versions (vulnerable: ≤8.2.6.4); audit access logs for suspicious agent control commands on the agent_action endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL
9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i
CVE-2026-45556 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled cont
CVE-2026-45558 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to injec
CVE-2026-45550 CRITICAL
9.1 Jun 10

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HT
CVE-2026-45564 HIGH
8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to

Share

CVE-2026-45549 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy