Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only — no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 8.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability stems from missing role and group checks on the POST /smon/agent/action/<action> endpoint in Roxy‑WI (CWE‑862, CWE‑863). Any authenticated user, including those with the guest role (role 4), can post a request to start, stop, or restart the roxy‑wi‑smon-agent systemd unit on any server that the user can name. The agent then executes the systemd action using Roxy‑WI’s SSH credentials with passwordless sudo, meaning the commands run as root on the target host. This allows an attacker to cause service disruption on load balancers or monitoring agents, effectively denying service to dependent services or the end users.

Affected Systems

This flaw affects Roxy‑WI version 8.2.6.4 and earlier. Roxy‑WI is a web interface used to manage Haproxy, Nginx, Apache and Keepalived servers.

Risk and Exploitability

The vulnerability involves missing role checks and group checks (CWE‑862, CWE‑863). The CVSS score of 8.5 indicates high severity. EPSS is not available, but the CVE is not currently listed in the CISA KEV catalogue. The exploit path requires only an authenticated guest session; no additional credentials are needed beyond the standard login. Because the vulnerable action is exposed over HTTP and is executed with root privileges on the target host via SSH, an attacker can immediately disrupt services without further reconnaissance. The lack of an official patch at publication time further increases the urgency of mitigating the issue.

Generated by OpenCVE AI on June 10, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Roxy‑WI release that implements role and group checks on the /smon/agent/action endpoint (e.g., version 8.2.6.5 or later).
  • If an upgrade is not immediately possible, block or delete the POST /smon/agent/action/<action> route for guests or restrict it to administrators by editing the Roxy‑WI configuration or web server ACL.
  • Remove or restrict the passwordless sudo SSH credentials used by Roxy‑WI to execute systemd commands so that only local, authenticated processes can run root‑level actions.
  • Enable logging and alerting for unexpected agent restarts or service stop/restart events, and review logs regularly for signs of abuse.

Generated by OpenCVE AI on June 10, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only — no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.
Title Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host
Weaknesses CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T16:03:08.182Z

Reserved: 2026-05-12T17:48:47.879Z

Link: CVE-2026-45549

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:35.997

Modified: 2026-06-10T15:16:35.997

Link: CVE-2026-45549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:00:07Z

Weaknesses