Unauthorized Access in Roxy-WI Web Interface for Haproxy, Nginx, Apache, and Keepalived Servers
CVE-2026-45563

4.3MEDIUM

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45563?

Roxy-WI, a web interface for managing various server technologies, is susceptible to an authorization bypass vulnerability. This issue allows any authenticated user, including those without related permissions, to access sensitive user information. Specifically, when the service parameter is set to 'user', the server_ip path parameter is misused as a user ID without proper authorization checks. As a result, users can view full action audit trails of other users, revealing critical details about server interactions, including IPs handled and configurations deployed. At present, there are no patches available to rectify this vulnerability.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.