Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2DescriptionNVD
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user - even a guest in an unrelated group - can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.
AnalysisAI
Roxy-WI 8.2.6.4 and prior exposes a broken object-level authorization flaw in its audit history endpoint, allowing any authenticated user to read any other user's full action audit trail. The GET /history/user/<server_ip> endpoint conflates the server_ip path parameter with a user identifier and performs no authorization check, meaning a guest account in an unrelated group can enumerate administrators' operational history including server IPs touched, configs deployed, and services restarted. No patch is available at time of publication; no public exploit code or active exploitation has been identified.
Technical ContextAI
Roxy-WI is a web-based management interface for infrastructure services including HAProxy, Nginx, Apache, and Keepalived, identified by CPE cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*. The vulnerable endpoint GET /history/<service>/<server_ip> is designed for server-scoped history lookups, but when the service parameter equals 'user', the application repurposes the server_ip path segment as a user identifier for database lookup without validating whether the requesting session has rights to view that user's records. This is a textbook CWE-639 (Authorization Bypass Through User-Controlled Key) flaw: the application trusts a caller-supplied value to select a sensitive resource without enforcing access control, bypassing the group-based authorization model used elsewhere in the application.
RemediationAI
No vendor-released patch has been identified at time of publication - the CVE description explicitly states no publicly available patches exist, and this is corroborated by the absence of a fix version in the advisory reference. The GitHub Security Advisory at https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9 should be monitored for patch availability. As immediate compensating controls: first, audit and remove unnecessary low-privilege and guest accounts that have no legitimate operational need within the Roxy-WI instance, reducing the authenticated attacker surface. Second, restrict network-level access to the Roxy-WI interface via firewall rules or reverse-proxy ACLs so only trusted management IPs can reach it - this limits who can obtain the required authenticated session. Third, if a WAF or reverse proxy is in front of Roxy-WI, consider blocking or alerting on GET requests matching /history/user/* from non-administrative session tokens. The trade-off of network restriction is reduced accessibility for remote administrators; the trade-off of guest account removal is reduced usability for read-only monitoring users.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36043