CVE-2026-45563
Received Received - Intake
Stored XSS in Roxy-WI Audit Logs via User Parameter

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user β€” even a guest in an unrelated group β€” can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45563
EUVD
EUVD-2026-36043
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
roxy-wi roxy-wi *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-863 The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-45563 is an Insecure Direct Object Reference (IDOR) vulnerability in Roxy-WI versions 8.2.6.4 and earlier. It occurs in the /history/<service>/<server_ip> endpoint, where the server_ip parameter is incorrectly treated as a user ID when the service parameter is set to 'user'. This happens without proper authorization checks.

As a result, any authenticated user, including guests from unrelated groups, can access the full action audit trail of any other user. This audit trail includes sensitive information such as server IPs accessed, configuration changes deployed, and services restarted.

Impact Analysis

This vulnerability allows unauthorized users to view sensitive audit logs of other users, which can reveal detailed information about server interactions, configuration deployments, and service restarts.

Such exposure can aid attackers in reconnaissance efforts, potentially enabling targeted attacks against the infrastructure managed by Roxy-WI.

Although the CVSS score is moderate (4.3), the unauthorized disclosure of audit trails can compromise operational security and privacy.

Detection Guidance

This vulnerability can be detected by checking if the Roxy-WI instance is running a vulnerable version (8.2.6.4 or earlier) and by testing access to the endpoint `/history/<service>/<server_ip>` with the `service` parameter set to 'user'. If an authenticated user can retrieve another user's full action history without proper authorization, the vulnerability is present.

A possible command to test this could be using curl to send a GET request to the endpoint with a valid authenticated session cookie or token, for example:

  • curl -i -H "Cookie: session=<valid_session_cookie>" "https://<roxy-wi-server>/history/user/<another_user_ip>"

If the response contains audit logs or action history of another user, it confirms the vulnerability.

Mitigation Strategies

Since no patches are currently available for this vulnerability, immediate mitigation steps include:

  • Restrict access to the Roxy-WI web interface to trusted users only.
  • Limit authenticated user permissions and avoid granting unnecessary access to guest or unrelated groups.
  • Monitor and audit access logs for suspicious activity related to the `/history/user/` endpoint.
  • Consider implementing network-level controls such as firewall rules to restrict access to the Roxy-WI server.
  • Avoid sharing session tokens or credentials that could be used to exploit this vulnerability.
Compliance Impact

This vulnerability allows any authenticated user to access another user's full action audit trail without proper authorization. Such unauthorized access to sensitive audit logs, including server interactions and configuration changes, can lead to exposure of personal or sensitive information.

This unauthorized disclosure of user activity data may violate compliance requirements under standards like GDPR and HIPAA, which mandate strict controls over access to personal and sensitive information and require audit logs to be protected against unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45563. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart