CVE-2026-45561
Received Received - Intake
Server-Side Request Forgery in Roxy-WI Web Interface

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the URL path component verbatim into requests.get(f'http://{server_ip}:{agent_port}/...'). The path component is constrained only by Flask's default URL converter, which permits any value (including IPv4 literals like 169.254.169.254, RFC1918 ranges, and 127.0.0.1). At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45561
EUVD
EUVD-2026-36042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The CVE-2026-45561 vulnerability in Roxy-WI allows attackers to perform Server-Side Request Forgery (SSRF) attacks that can lead to unauthorized access to internal resources and potential credential exfiltration, including cloud provider IAM credentials.

Such unauthorized access and data exposure can compromise the confidentiality of sensitive information, which is a critical requirement under common standards and regulations like GDPR and HIPAA.

Therefore, exploitation of this vulnerability could result in non-compliance with these regulations due to failure to protect sensitive data and maintain adequate access controls.

Executive Summary

CVE-2026-45561 is a Server-Side Request Forgery (SSRF) vulnerability in the Roxy-WI software, specifically affecting versions 8.2.6.4 and earlier.

The vulnerability exists in the /smon/agent/<endpoint>/<server_ip> route family, where the server IP parameter is directly used in HTTP requests without proper validation.

Because the application does not enforce restrictions like host allowlists, IP range filters, or DNS-rebinding protections, an attacker can manipulate the IP address to make the server send requests to internal or sensitive IP addresses such as cloud metadata servers (e.g., 169.254.169.254), internal services like Redis or Elasticsearch, or localhost (127.0.0.1).

This can lead to unauthorized access to internal resources or credential exfiltration.

Impact Analysis

This vulnerability can have a high confidentiality impact by allowing attackers to access sensitive internal resources or cloud provider IAM credentials.

Exploitation could enable attackers to exfiltrate credentials or gain unauthorized access to internal services that are normally protected from external access.

The attack can be performed remotely over the network with low complexity and does not require user interaction or elevated privileges.

Detection Guidance

This vulnerability can be detected by monitoring requests to the /smon/agent/<endpoint>/<server_ip> routes in Roxy-WI versions 8.2.6.4 and earlier, especially if the server_ip parameter includes internal IP addresses such as 169.254.169.254, RFC1918 ranges, or 127.0.0.1.

You can check your web server or application logs for unusual or suspicious requests targeting these routes with internal or link-local IP addresses.

Suggested commands to detect potential exploitation attempts include:

  • Using grep to find suspicious requests in logs: grep -E "/smon/agent/.*/(169\.254\.169\.254|127\.0\.0\.1|10\.|172\.(1[6-9]|2[0-9]|3[0-1])\.|192\.168\.)" /path/to/roxy-wi/logs/access.log
  • Using tcpdump or Wireshark to monitor HTTP requests to the Roxy-WI server for suspicious internal IP addresses in the URL path.
Mitigation Strategies

Immediate mitigation steps include implementing validation on the server_ip parameter to block requests containing private, loopback, link-local, multicast, or reserved IP ranges.

Specifically, use the ipaddress module or equivalent to enforce allowlists and deny requests to internal IP addresses.

Additionally, implement DNS-rebinding-resistant measures by resolving and validating IP addresses before making HTTP requests.

Since no patches are publicly available at this time, consider restricting access to the Roxy-WI interface to trusted networks or users only.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45561. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart