CVE-2026-45552
CriticalCVSS 9.9Exploitation Probability (EPSS)
Low risk12th percentile — higher than 12% of all known CVEs
Summary
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the lack of proper decorators in certain endpoints allows any logged-in user, including the default guest role, to install and reconfigure exporters, WAF, and GeoIP databases on all servers in the Roxy-WI database.
Risk Assessment
The lack of proper access controls poses a risk that unauthorized users can make changes to server configurations, potentially leading to serious security breaches and data loss.
Recommendation
It is recommended to update to the latest version of Roxy-WI and implement additional access controls for endpoints to restrict unauthorized actions.
Original NVD description (English source)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user — including the default guest role 4 — can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches.

