Access Control Weakness in Roxy-WI Web Interface by Roxy-WI
CVE-2026-45552
9.9CRITICAL
What is CVE-2026-45552?
Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers, exhibits a significant access control weakness. In versions 8.2.6.4 and earlier, several critical endpoints are improperly secured, allowing any logged-in user, including those with minimal permissions, unrestricted access to install or reconfigure exporters, WAF, and GeoIP databases across all servers within the Roxy-WI database. This oversight means that users with default guest roles could exploit these functions without proper authorization, risking tenant data and operations. As of now, no patches have been released to address this vulnerability.
Affected Version(s)
roxy-wi <= 8.2.6.4
