SQL Injection Flaw in Roxy-WI Web Interface by Roxy-WI
CVE-2026-45550

9.1CRITICAL

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45550?

Roxy-WI presents a significant SQL injection vulnerability in versions up to 8.2.6.4. The flaw exists in the PUT method for the /smon/check endpoint, which improperly validates the user's group against the target check_id. This oversight allows authenticated users to alter other tenants' HTTP, TCP, Ping, and DNS monitoring checks without sufficient authorization checks. While Roxy-WI correctly implements user group filters in delete operations, similar safeguards are missing in update functions, thereby exposing a critical path for abuse. As of now, no patches are available for this issue.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.