Executive Summary

CVE-2026-45567 is an authentication bypass vulnerability in Roxy-WI, a web interface for managing servers like Haproxy, Nginx, Apache, and Keepalived. The issue arises because the login check function improperly skips authentication if the substring "api" appears anywhere in the request URL. This was intended to defer authentication to the API blueprint but inadvertently exposes sensitive routes.

Specifically, the /api/gpt endpoint is registered without authentication decorators, making it fully accessible to unauthenticated attackers. This allows unauthorized access and potential misuse.

The root causes include an incorrect comparison (CWE-697) and missing authentication (CWE-306), which also risks future unauthenticated access to new routes lacking proper authentication decorators.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive endpoints in Roxy-WI without any authentication.

Potential impacts include unauthorized use of the /api/gpt endpoint, which can cause cost amplification from GPT quota usage, exposure of license keys, and the ability for attackers to make outbound network requests from the victim's IP address.

Because no privileges or user interaction are required, the risk is high and can lead to significant security and operational issues.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to the /api/gpt endpoint or any URL containing the substring 'api' on the Roxy-WI web interface.

You can use network scanning or HTTP request tools to test if the /api/gpt endpoint is accessible without authentication.

• Use curl to test access: curl -i http://<target-ip-or-host>/api/gpt
• Use wget to test access: wget --spider http://<target-ip-or-host>/api/gpt
• Use a web proxy or browser to manually access URLs containing 'api' and observe if authentication is prompted.

Useful 0 Not Useful 0

Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation involves restricting access to the vulnerable endpoints.

• Block or restrict access to URLs containing the substring 'api' and specifically the /api/gpt endpoint at the network firewall or web server level.
• Implement IP whitelisting or VPN access to limit who can reach the Roxy-WI interface.
• Monitor and log access attempts to the /api/gpt endpoint to detect unauthorized usage.

Once patches become available, apply them promptly to fix the authentication bypass by replacing the substring check with an explicit allowlist and adding proper authentication decorators.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and access sensitive routes, including the /api/gpt endpoint. This unauthorized access can lead to exposure of license keys and the ability to make outbound network requests from the victim's IP, which may result in unauthorized data access or data leakage.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Useful 0 Not Useful 0