Access Control Weakness in Roxy-WI Web Interface by Roxy-WI
CVE-2026-45552

9.9CRITICAL

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45552?

Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers, exhibits a significant access control weakness. In versions 8.2.6.4 and earlier, several critical endpoints are improperly secured, allowing any logged-in user, including those with minimal permissions, unrestricted access to install or reconfigure exporters, WAF, and GeoIP databases across all servers within the Roxy-WI database. This oversight means that users with default guest roles could exploit these functions without proper authorization, risking tenant data and operations. As of now, no patches have been released to address this vulnerability.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.