CVE-2026-45549
Received Received - Intake
Privilege Escalation in Roxy-WI via Unauthorized Systemd Actions

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only β€” no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45549
EUVD
EUVD-2026-36036
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45549 is an authorization bypass vulnerability in Roxy-WI versions up to 8.2.6.4. The issue exists in the agent_action function at the POST /smon/agent/action/<action> endpoint, which lacks proper role and group ownership checks. This means any authenticated user, including guests, can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server by specifying its IP address.

Because Roxy-WI executes these commands over SSH with passwordless sudo privileges, the actions run as root on the target server. This allows an attacker to perform privileged operations remotely without proper authorization.

Impact Analysis

This vulnerability can lead to significant impacts including denial-of-service (DoS) attacks across tenants. An attacker can silently disable monitoring on a victim's server by stopping the smon-agent, which halts status event reporting.

Since the commands run as root on the target server, the attacker gains high availability impact by disrupting critical monitoring services. The vulnerability has a CVSS score of 8.5 (High), indicating it is a serious threat with low complexity to exploit and no need for user interaction.

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized POST requests to the /smon/agent/action/<action> endpoint on Roxy-WI servers running version 8.2.6.4 or earlier.

Specifically, look for POST requests from authenticated users, including those with guest roles, attempting to start, stop, or restart the roxy-wi-smon-agent systemd unit by specifying server IP addresses.

Network or application logs can be searched for such suspicious POST requests.

Suggested commands to detect this activity include using tools like curl or wget to simulate or monitor such requests, or using log analysis commands such as:

  • grep -i 'POST /smon/agent/action/' /var/log/nginx/access.log
  • grep -i 'agent/action' /path/to/roxy-wi/logs/*
  • tcpdump or Wireshark filters to capture HTTP POST requests to /smon/agent/action/

Additionally, monitoring systemd logs on target servers for unexpected start, stop, or restart commands of the roxy-wi-smon-agent service may help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /smon/agent/action/<action> endpoint to trusted users only, as the vulnerability allows any authenticated user, including guests, to control the roxy-wi-smon-agent service.

Since no public patches are available at the time of publication, consider implementing network-level controls such as firewall rules or web application firewall (WAF) rules to block unauthorized POST requests to this endpoint.

Review and limit user roles and permissions within Roxy-WI to minimize the number of users who can authenticate and access this functionality.

Monitor systemd service status for the roxy-wi-smon-agent on all managed servers to detect unexpected stops or restarts.

Plan to apply proper authorization checks in the application by adding decorators such as @get_user_params(), @page_for_admin(level=2), and @check_is_server_in_group() once patches become available.

Compliance Impact

The vulnerability in Roxy-WI allows any authenticated user, including guests, to execute system-level commands as root on target servers, potentially causing denial-of-service by stopping monitoring agents. This unauthorized control and disruption of system availability can lead to non-compliance with standards and regulations that require strict access controls, integrity, and availability of systems and data.

Specifically, regulations like GDPR and HIPAA mandate protecting the integrity and availability of personal and sensitive data. The ability for low-privilege users to disrupt monitoring and management services could hinder detection of malicious activity and system failures, thereby increasing risk of data breaches or loss of data availability.

Therefore, this vulnerability represents a failure in proper authorization controls (CWE-862, CWE-863), which is critical for compliance with such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45549. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart