Skip to main content

Roxy-WI CVE-2026-45563

| EUVDEUVD-2026-36043 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-06-10 GitHub_M
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 15:30 vuln.today
CVE Published
Jun 10, 2026 - 14:03 nvd
MEDIUM 4.3

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user - even a guest in an unrelated group - can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

AnalysisAI

Roxy-WI 8.2.6.4 and prior exposes a broken object-level authorization flaw in its audit history endpoint, allowing any authenticated user to read any other user's full action audit trail. The GET /history/user/<server_ip> endpoint conflates the server_ip path parameter with a user identifier and performs no authorization check, meaning a guest account in an unrelated group can enumerate administrators' operational history including server IPs touched, configs deployed, and services restarted. No patch is available at time of publication; no public exploit code or active exploitation has been identified.

Technical ContextAI

Roxy-WI is a web-based management interface for infrastructure services including HAProxy, Nginx, Apache, and Keepalived, identified by CPE cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*. The vulnerable endpoint GET /history/<service>/<server_ip> is designed for server-scoped history lookups, but when the service parameter equals 'user', the application repurposes the server_ip path segment as a user identifier for database lookup without validating whether the requesting session has rights to view that user's records. This is a textbook CWE-639 (Authorization Bypass Through User-Controlled Key) flaw: the application trusts a caller-supplied value to select a sensitive resource without enforcing access control, bypassing the group-based authorization model used elsewhere in the application.

RemediationAI

No vendor-released patch has been identified at time of publication - the CVE description explicitly states no publicly available patches exist, and this is corroborated by the absence of a fix version in the advisory reference. The GitHub Security Advisory at https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9 should be monitored for patch availability. As immediate compensating controls: first, audit and remove unnecessary low-privilege and guest accounts that have no legitimate operational need within the Roxy-WI instance, reducing the authenticated attacker surface. Second, restrict network-level access to the Roxy-WI interface via firewall rules or reverse-proxy ACLs so only trusted management IPs can reach it - this limits who can obtain the required authenticated session. Third, if a WAF or reverse proxy is in front of Roxy-WI, consider blocking or alerting on GET requests matching /history/user/* from non-administrative session tokens. The trade-off of network restriction is reduced accessibility for remote administrators; the trade-off of guest account removal is reduced usability for read-only monitoring users.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-45563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy