CVE-2026-45552
Received Received - Intake
Roxy-WI Admin Bypass via Missing Access Controls

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request β†’ @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user β€” including the default guest role 4 β€” can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45552
EUVD
EUVD-2026-36035
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Roxy-WI, a web interface used to manage Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and earlier, certain installation endpoints lack proper access control checks. Specifically, endpoints like install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status do not enforce role or group-based restrictions. As a result, any logged-in user, including those with a default guest role, can perform installation or reconfiguration actions on exporters, WAF, and GeoIP databases across all servers in the Roxy-WI database, regardless of tenant ownership.

This happens because these endpoints are missing decorators that enforce admin-level access and group membership checks, allowing unauthorized users to execute privileged operations. The Ansible playbooks used for these operations run with SSH credentials that have sudo rights, which belong to different tenants, further increasing the risk.

At the time of publication, no public patches are available to fix this issue.

Compliance Impact

This vulnerability allows unauthorized users, including guest accounts, to access and modify servers across tenant boundaries, leading to potential unauthorized disclosure, modification, and disruption of sensitive data and services.

Such unauthorized access and control over server configurations and data can result in violations of compliance requirements under standards like GDPR and HIPAA, which mandate strict access controls, data confidentiality, integrity, and availability.

Because the vulnerability enables cross-tenant access without proper authorization checks, it undermines tenant isolation and data protection principles critical to these regulations.

Detection Guidance

This vulnerability can be detected by checking if the Roxy-WI installation is running version 8.2.6.4 or earlier and if the endpoints under /install/* are accessible to authenticated users without proper role and group checks.

Specifically, you can test whether a logged-in user with a low-privilege role (such as the default guest role 4) can access and execute actions on the following endpoints without admin-level authorization:

  • install_exporter
  • install_waf
  • install_geoip
  • check_geoip
  • get_exporter_version
  • get_task_status

To detect exploitation attempts or verify vulnerability, you can attempt to access these endpoints with a low-privilege user and observe if actions such as installing exporters or WAF, or retrieving GeoIP data, are permitted.

No specific commands are provided in the resources, but you can use HTTP tools like curl or wget to send authenticated GET or POST requests to these endpoints and check the responses.

Impact Analysis

This vulnerability can have severe impacts because it allows any authenticated user, even those with minimal privileges, to install or reconfigure critical components like exporters, WAF, and GeoIP databases on all servers managed by Roxy-WI.

Since the Ansible playbooks run with SSH credentials that have sudo rights, unauthorized users could potentially execute commands with elevated privileges on servers belonging to other tenants. This could lead to unauthorized changes, service disruptions, data exposure, or further compromise of the affected servers.

The vulnerability has a very high severity score (CVSS 9.9), indicating it poses a critical risk to confidentiality, integrity, and availability.

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation steps should focus on restricting access to the vulnerable endpoints.

  • Limit user roles and permissions to prevent guest or low-privilege users from accessing install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status endpoints.
  • Implement network-level access controls to restrict access to the Roxy-WI web interface only to trusted administrators.
  • Monitor and audit usage of the Roxy-WI interface for any unauthorized configuration changes.
  • Consider disabling or restricting the use of Ansible playbooks that use stored SSH credentials until a patch is available.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45552. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart