Access Control Flaw in Roxy-WI Web Interface for Server Management
CVE-2026-45549

8.5HIGH

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45549?

The Roxy-WI web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers has a significant security flaw. In versions prior to 8.2.6.4, the system lacks appropriate role checks and group ownership validation for the server_ip field in the agent_action route. Consequently, any authenticated user, including those with guest-level privileges, can execute critical actions such as starting or stopping the roxy-wi-smon-agent using root privileges through passwordless sudo. At the time of this advisory, no patches are available to address this vulnerability.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.