CVE-2026-45550
Deferred Deferred - Pending Action

Unauthorized Update of Monitoring Checks in Roxy-WI

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() β€” which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-30
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-45550
EUVD
EUVD-2026-36037

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (inc)
roxy-wi roxy-wi to 8.2.6.4 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a critical Insecure Direct Object Reference (IDOR) in the Roxy-WI monitoring tool (versions 8.2.6.4 and prior). It affects the PUT /smon/check endpoint, where the system only verifies that the user belongs to some group but does not confirm that the monitoring check (check_id) being updated actually belongs to that user's group.

Because of this insufficient authorization, any authenticated user can modify or rewrite monitoring checks belonging to other tenants by manipulating the check_id parameter. The update functions do not filter by user group, allowing unauthorized changes, while the DELETE endpoint correctly applies such filtering.

Impact Analysis

This vulnerability can have serious impacts including allowing attackers to silently disable or redirect monitoring checks that belong to other tenants.

Attackers could exfiltrate sensitive data such as API keys or JWT tokens by redirecting monitoring checks to attacker-controlled endpoints.

It can also cause denial-of-service conditions by setting aggressive polling intervals on monitoring checks.

Detection Guidance

This vulnerability involves unauthorized modification of monitoring checks via the PUT /smon/check endpoint by authenticated users. Detection can focus on monitoring unusual or unauthorized PUT requests to this endpoint, especially those that modify check_id values not belonging to the authenticated user.

You can inspect web server logs or use network monitoring tools to identify suspicious PUT requests to /smon/check. Look for patterns where a user iterates over multiple check_id values or modifies checks outside their group.

Example commands to detect such activity might include:

  • Using grep on web server logs to find PUT requests to /smon/check: grep 'PUT /smon/check' /var/log/nginx/access.log
  • Using tcpdump to capture HTTP traffic and filter PUT requests to /smon/check: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'PUT /smon/check'
  • Analyzing application logs for unexpected updates to monitoring checks by users who should not have access.
Mitigation Strategies

Since no patches are currently available for this vulnerability, immediate mitigation steps focus on limiting exposure and reducing risk.

  • Restrict access to the Roxy-WI web interface to trusted users and networks only.
  • Implement strict authentication and monitor user activity closely for suspicious PUT requests to /smon/check.
  • Consider temporarily disabling or restricting the PUT /smon/check endpoint if possible, to prevent unauthorized updates.
  • Use network-level controls such as firewalls or web application firewalls (WAF) to block or alert on suspicious requests targeting this endpoint.
  • Prepare to apply patches or updates once they become available, as recommended fixes include adding user_group validation to update functions and route-level authorization checks.
Compliance Impact

The vulnerability allows any authenticated user to modify or rewrite monitoring checks belonging to other tenants without proper authorization. This unauthorized access and modification can lead to exposure or manipulation of sensitive data such as API keys or JWTs, which may result in violations of data protection regulations like GDPR or HIPAA that require strict controls over data integrity and confidentiality.

Because the flaw enables attackers to silently alter monitoring configurations and potentially exfiltrate sensitive information, it undermines the security controls necessary for compliance with standards that mandate protection against unauthorized access and data breaches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45550. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart