QSearchQSearch

CVE-2026-45549

8.5 HIGH

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers

Published: 2026-06-10 · Last updated: 2026-06-10

Severity and scoring

CVSS
8.5 HIGH
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
CWE
CWE-862, CWE-863

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only — no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.

Source: NVD

References

Related CVEs

Same CWE

  • CVE-2026-49219 ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
  • CVE-2026-46645 SQLAdmin is a flexible Admin interface for SQLAlchemy models (4.3 MEDIUM)
  • CVE-2026-53738 Copy & Delete Posts through 1.5.4 lets any plugin-enabled non-admin role invoke every operation in the cdp_action_handling AJAX handler (8.1 HIGH)
  • CVE-2026-53634 Sharp is a content management framework built for Laravel as a package (4.3 MEDIUM)
  • CVE-2026-0272 A privilege escalation vulnerability in Palo Alto Networks PAN-OS® software allows an authenticated administrator with access to the Comm...