Skip to main content

Roxy-WI CVE-2026-45550

| EUVD-2026-36037 CRITICAL
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-10 GitHub_M
Authentication Bypass Nginx Apache
9.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 15:14 vuln.today
CVE Published
Jun 10, 2026 - 14:00 nvd
CRITICAL 9.1

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() - which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.

Articles & Coverage 2

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026 News Critical Cross-Tenant Data Tampering in Nginx Roxy-WI 8.2.6.4 - CVE-2026-45550 Jun 10, 2026

AnalysisAI

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HTTP, TCP, Ping, and DNS monitoring checks belonging to other tenants by sending a crafted PUT /smon/check request with another tenant's smon_id. The flaw stems from missing user_group authorization on the UPDATE SQL path (CWE-639, IDOR), while the DELETE path is correctly filtered - confirming the maintainers knew the right pattern but failed to apply it on update. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Obtain low-privileged Roxy-WI account
Delivery
Enumerate sequential smon_id values
Exploit
Send crafted PUT /smon/check with victim's smon_id
Install
Bypass check_user_group_for_flask group check
C2
Trigger update_smon* SQL UPDATE without user_group filter
Execute
Silently rewrite victim tenant's monitoring check
Impact
Mask outages or trigger false alerts in victim tenant
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The attacker must hold valid credentials for any Roxy-WI account in any user group on the target instance (CVSS PR:L), and the Roxy-WI web UI must be reachable from the attacker's network position (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L, score 9.1) reflects network-reachable, low-complexity exploitation by any low-privileged authenticated user, with scope change (cross-tenant impact) and high integrity damage - consistent with multi-tenant IDOR. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario A low-privileged tenant user authenticates to Roxy-WI, then iterates smon_id values (1, 2, 3, …) via PUT /smon/check, rewriting each victim tenant's HTTP/TCP/Ping/DNS check definitions - for example, pointing a competitor's production health check at a benign always-up endpoint so a real outage goes undetected, or rewriting DNS check parameters to generate spurious paging alerts. Because the DB UPDATE succeeds silently with no cross-tenant access log entry, the victim tenant may not notice until monitoring fails them in production. …
Remediation No vendor-released patch identified at time of analysis; the GitHub Security Advisory GHSA-856h-mvm2-2h2x (https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-856h-mvm2-2h2x) confirms the issue but does not yet list a fixed version. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit your Roxy-WI deployment-document all instances and tenant counts to establish operational risk scope. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL
9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i
CVE-2026-45556 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled cont
CVE-2026-45558 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to injec
CVE-2026-45564 HIGH
8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to
CVE-2026-45549 HIGH
8.5 Jun 10

Privilege escalation in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - including the lowest-privileg

Share

CVE-2026-45550 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy