Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roxy-WI, a web interface for managing load balancers and web servers, contains an IDOR flaw on the PUT /smon/check endpoint. The authentication check only verifies that the caller belongs to any group, but it does not confirm that the specific smon_id being updated is owned by that group. Consequently, an authenticated user can iterate through smon_id values and silently overwrite the monitoring configuration of another tenant, changing URLs, IPs, or monitoring parameters. This bypass violates confidentiality, integrity, and availability of other tenants’ monitoring services and could be used to disrupt services or plant malicious endpoints.

Affected Systems

The affected vendor is Roxy-WI, current until at least version 8.2.6.4. The IDOR exists in all releases prior to that version; higher versions are not mentioned as patched. Therefore any deployment of Roxy-WI 8.2.6.4 or older is exposed.

Risk and Exploitability

The CVSS score of 9.1 classifies the vulnerability as critical. The EPSS score is not available, so the current exploitation likelihood is unknown, but the flaw requires only authenticated access and no special network privileges. There is no known public exploit yet and the vulnerability is not listed in the CISA KEV catalog. Attackers could abuse this by enumerating smon_id values and issuing legitimate authenticated requests to update checks for other tenants, bypassing group ownership checks. Because the bug omits a user_group filter on UPDATE statements, the exploit path is straightforward once credentials are obtained.

Generated by OpenCVE AI on June 10, 2026 at 15:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Roxy-WI to the latest release that removes the IDOR flaw on /smon/check. Check the project's changelog for the fix.
  • Disable or restrict the PUT /smon/check endpoint for users who are not required to modify monitoring checks. Apply group‑based access controls to limit who can perform updates.
  • Enable detailed audit logging for all HTTP PUT requests to /smon/check and periodically review logs for anomalous or unauthorized modifications.

Generated by OpenCVE AI on June 10, 2026 at 15:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.
Title Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/body
Weaknesses CWE-639
CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T16:31:33.373Z

Reserved: 2026-05-12T17:48:47.879Z

Link: CVE-2026-45550

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-10T15:16:36.160

Modified: 2026-06-10T15:16:36.160

Link: CVE-2026-45550

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses