Skip to main content

Roxy-WI CVE-2026-45567

| EUVD-2026-36064 HIGH
Improper Authentication (CWE-287)
2026-06-10 GitHub_M
Authentication Bypass Nginx Apache
8.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 16:24 vuln.today
CVE Published
Jun 10, 2026 - 15:37 nvd
HIGH 8.3

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.

Articles & Coverage 1

News 11 New Apache Vulnerabilities - 4 Critical, 7 High Severity Jun 10, 2026

AnalysisAI

Authentication bypass in Roxy-WI versions 8.2.6.4 and prior allows remote unauthenticated attackers to reach protected API functionality by including the 'api' substring in the URL, with the /api/gpt endpoint specifically exposed without authentication. The flaw carries a CVSS 8.3 with scope change and affects a web management interface for HAProxy, Nginx, Apache, and Keepalived, and no public exploit has been identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify exposed Roxy-WI instance
Delivery
Craft HTTP request with 'api' substring
Exploit
Bypass authentication middleware
Execution
Invoke /api/gpt or other API routes
Persist
Manipulate managed HAProxy/Nginx/Apache/Keepalived config
Impact
Impact proxied services confidentiality, integrity, availability
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only network reachability to the Roxy-WI web interface on a vulnerable instance (version 8.2.6.4 or earlier) and the ability to issue an HTTP request whose URL either contains the substring 'api' (triggering the authentication-bypass code path) or targets the /api/gpt endpoint (which is unauthenticated by design). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS vector AV:N/AC:L/PR:N/UI:N indicates fully remote, low-complexity, unauthenticated exploitation, which is the worst-case combination for an exposed management UI; scope is changed (S:C) reflecting that bypassing auth in the UI lets the attacker reach functionality belonging to a different security authority (the managed proxy/LB infrastructure). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach a Roxy-WI instance over the network sends an unauthenticated HTTP request to /api/gpt (or another URL crafted to contain the 'api' substring) and obtains access to API functionality that should require an authenticated session, allowing interaction with the management plane of the underlying HAProxy/Nginx/Apache/Keepalived servers. Because the attack is network-based, low-complexity, and requires no privileges or user interaction, opportunistic mass scanning for Roxy-WI instances is plausible once the bypass URL pattern is widely known. …
Remediation No vendor-released patch identified at time of analysis, so administrators must rely on compensating controls until an updated Roxy-WI release is published via the GHSA-4fcm-qgg8-w2vf advisory at https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-4fcm-qgg8-w2vf. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit Roxy-WI logs for unauthorized /api/gpt and /api endpoint access; inventory all internet-exposed Roxy-WI instances and prioritize by infrastructure criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-45552 CRITICAL
9.9 Jun 10

Privilege escalation and cross-tenant compromise in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user - i
CVE-2026-45556 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated users to write attacker-controlled cont
CVE-2026-45558 CRITICAL
9.9 Jun 10

Remote code execution in Roxy-WI versions 8.2.6.4 and prior allows authenticated low-privilege users (role ≤ 3) to injec
CVE-2026-45550 CRITICAL
9.1 Jun 10

Cross-tenant data tampering in Roxy-WI versions 8.2.6.4 and prior allows any authenticated user to silently overwrite HT
CVE-2026-45564 HIGH
8.8 Jun 10

Authenticated command injection in Roxy-WI versions 8.2.6.4 and prior allows low-privileged users (role <= 3, 'user') to

Share

CVE-2026-45567 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy