Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user — including the default guest role 4 — can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 9.9 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

In Roxy‑WI versions 8.2.6.4 and earlier the install blueprint incorrectly omits role and tenant checks for several endpoints; any logged‑in user, including the default guest role, can invoke these endpoints which trigger Ansible playbooks that run with per‑server SSH credentials. Because the credentials belong to a different tenant and typically provide sudo access, an attacker can execute arbitrary commands on any server registered in the Roxy‑WI database, bypassing tenant boundaries. The flaw arises from missing decorators that enforce both role and group checks, leading to a severe privilege escalation vulnerability classified as remote code execution (CWE-639, CWE-862, CWE-863).

Affected Systems

The affected product is Roxy‑WI, an interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The flaw exists in versions 8.2.6.4 and all earlier releases. Any user registered in the Roxy‑WI platform, especially the default guest role, can exploit the vulnerability regardless of tenant ownership. No specific operating system is tied to the issue; the impact is on any server provisioned through Roxy‑WI.

Risk and Exploitability

The CVSS score of 9.9 indicates critical severity, and although the EPSS score is not available, the lack of a patch or workaround and the ability to run privileged commands on arbitrary servers make this a high‑risk vulnerability. The vulnerability is not listed in the CISA KEV catalog, but the potential for widespread exploitation remains. An attacker only needs authenticated access to the web interface; no auxiliary conditions or elevated privileges are required beyond those of a logged‑in user.

Generated by OpenCVE AI on June 10, 2026 at 15:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or revoke the default guest role or limit its permissions so that only administrators can access the /install/* endpoints
  • Add the missing authorization decorators (page_for_admin, is_user_has_access_to_its_group) to all install and management endpoints to enforce role and tenant checks
  • Revoke or restrict the per‑server SSH credentials that grant sudo rights to tenants who do not own the targeted servers, or replace them with credentials that have the minimal privileges necessary for the required tasks

Generated by OpenCVE AI on June 10, 2026 at 15:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user — including the default guest role 4 — can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches.
Title Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server
Weaknesses CWE-639
CWE-862
CWE-863
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T14:53:08.118Z

Reserved: 2026-05-12T17:48:47.880Z

Link: CVE-2026-45552

cve-icon Vulnrichment

Updated: 2026-06-10T14:53:04.737Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T15:16:36.303

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-45552

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T16:00:07Z

Weaknesses