CVE Catalog

CVE-2026-45550

CriticalCVSS 9.1
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.03%

10th percentile — higher than 10% of all known CVEs

Summary

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the PUT /smon/check functionality does not verify if the check_id belongs to the user's group, allowing unauthorized modifications to other users' monitoring settings.

Risk Assessment

Any authenticated user can alter the HTTP, TCP, Ping, and DNS monitoring settings of other users, leading to potential security breaches and data loss.

Recommendation

It is recommended to update to the latest version of Roxy-WI when patches become available and to implement additional filters in the update functions to restrict data access to the appropriate user groups.

Original NVD description (English source)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS