Unauthorized Access in Roxy-WI Web Interface for Haproxy, Nginx, Apache, and Keepalived Servers
CVE-2026-45563
4.3MEDIUM
What is CVE-2026-45563?
Roxy-WI, a web interface for managing various server technologies, is susceptible to an authorization bypass vulnerability. This issue allows any authenticated user, including those without related permissions, to access sensitive user information. Specifically, when the service parameter is set to 'user', the server_ip path parameter is misused as a user ID without proper authorization checks. As a result, users can view full action audit trails of other users, revealing critical details about server interactions, including IPs handled and configurations deployed. At present, there are no patches available to rectify this vulnerability.
Affected Version(s)
roxy-wi <= 8.2.6.4
