SQL Injection Flaw in Roxy-WI Web Interface by Roxy-WI
CVE-2026-45550
9.1CRITICAL
What is CVE-2026-45550?
Roxy-WI presents a significant SQL injection vulnerability in versions up to 8.2.6.4. The flaw exists in the PUT method for the /smon/check endpoint, which improperly validates the user's group against the target check_id. This oversight allows authenticated users to alter other tenants' HTTP, TCP, Ping, and DNS monitoring checks without sufficient authorization checks. While Roxy-WI correctly implements user group filters in delete operations, similar safeguards are missing in update functions, thereby exposing a critical path for abuse. As of now, no patches are available for this issue.
Affected Version(s)
roxy-wi <= 8.2.6.4
