Access Control Flaw in Roxy-WI Web Interface for Server Management
CVE-2026-45549
8.5HIGH
What is CVE-2026-45549?
The Roxy-WI web interface used for managing Haproxy, Nginx, Apache, and Keepalived servers has a significant security flaw. In versions prior to 8.2.6.4, the system lacks appropriate role checks and group ownership validation for the server_ip field in the agent_action route. Consequently, any authenticated user, including those with guest-level privileges, can execute critical actions such as starting or stopping the roxy-wi-smon-agent using root privileges through passwordless sudo. At the time of this advisory, no patches are available to address this vulnerability.
Affected Version(s)
roxy-wi <= 8.2.6.4
