Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host
CVE-2026-45549

8.5HIGH

Key Information:

Vendor: Roxy-wi
Status: Roxy-wi
Vendor: CVE Published:; 10 June 2026

What is CVE-2026-45549?

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/') and @jwt_required() only — no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

https://github.com/roxy-wi/roxy-wi/security/advisories/GH...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.5

Severity:

HIGH

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 10, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45549 Data

JSON

Roxy-wi

What is CVE-2026-45549?

Affected Version(s)

References

CVSS V3.1

Timeline