CVE-2026-45567
Deferred Deferred - Pending Action

Authentication Bypass in Roxy-WI via API Endpoint

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-07-01
AI Q&A
2026-06-10
EPSS Evaluated
2026-06-29
NVD
CVE-2026-45567
EUVD
EUVD-2026-36064

Affected Vendors & Products

Showing 6 associated CPEs
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
haproxy haproxy *
nginx nginx *
apache http_server *
keepalived keepalived *
roxy-wi roxy-wi 8.2.6.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-697 The product compares two entities in a security-relevant context, but the comparison is incorrect.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-45567 is an authentication bypass vulnerability in Roxy-WI, a web interface for managing servers like Haproxy, Nginx, Apache, and Keepalived. The issue arises because the login check function improperly skips authentication if the substring "api" appears anywhere in the request URL. This was intended to defer authentication to the API blueprint but inadvertently exposes sensitive routes.

Specifically, the /api/gpt endpoint is registered without authentication decorators, making it fully accessible to unauthenticated attackers. This allows unauthorized access and potential misuse.

The root causes include an incorrect comparison (CWE-697) and missing authentication (CWE-306), which also risks future unauthenticated access to new routes lacking proper authentication decorators.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive endpoints in Roxy-WI without any authentication.

Potential impacts include unauthorized use of the /api/gpt endpoint, which can cause cost amplification from GPT quota usage, exposure of license keys, and the ability for attackers to make outbound network requests from the victim's IP address.

Because no privileges or user interaction are required, the risk is high and can lead to significant security and operational issues.

Detection Guidance

This vulnerability can be detected by checking for unauthenticated access to the /api/gpt endpoint or any URL containing the substring 'api' on the Roxy-WI web interface.

You can use network scanning or HTTP request tools to test if the /api/gpt endpoint is accessible without authentication.

  • Use curl to test access: curl -i http://<target-ip-or-host>/api/gpt
  • Use wget to test access: wget --spider http://<target-ip-or-host>/api/gpt
  • Use a web proxy or browser to manually access URLs containing 'api' and observe if authentication is prompted.
Mitigation Strategies

Since there are no publicly available patches at the time of publication, immediate mitigation involves restricting access to the vulnerable endpoints.

  • Block or restrict access to URLs containing the substring 'api' and specifically the /api/gpt endpoint at the network firewall or web server level.
  • Implement IP whitelisting or VPN access to limit who can reach the Roxy-WI interface.
  • Monitor and log access attempts to the /api/gpt endpoint to detect unauthorized usage.

Once patches become available, apply them promptly to fix the authentication bypass by replacing the substring check with an explicit allowlist and adding proper authentication decorators.

Compliance Impact

The vulnerability allows unauthenticated attackers to bypass authentication and access sensitive routes, including the /api/gpt endpoint. This unauthorized access can lead to exposure of license keys and the ability to make outbound network requests from the victim's IP, which may result in unauthorized data access or data leakage.

Such unauthorized access and potential data exposure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive data.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45567. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart