CVE-2026-45561 - Vulnerability Details

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the URL path component verbatim into requests.get(f'http://{server_ip}:{agent_port}/...'). The path component is constrained only by Flask's default URL converter, which permits any value (including IPv4 literals like 169.254.169.254, RFC1918 ranges, and 127.0.0.1). At time of publication, there are no publicly available patches.

Published: 2026-06-10

Score: 6.5 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability exists in the Roxy-WI web interface in versions 8.2.6.4 and prior, where the /smon/agent routes accept any path component and forward it directly to a backend agent using requests.get. This behavior permits attacker-controlled values to be used as target hosts, including private, loopback, and cloud metadata addresses. The weakness enables retrieval of sensitive internal data or credentials from the agent process, resulting in confidentiality compromise without authentication due to the open endpoint. The weakness is classified as CWE‑918.

Affected Systems

Roxy-WI installations running version 8.2.6.4 or earlier are affected, regardless of deployment environment. The issue is present in all supported control panels for HAProxy, Nginx, Apache and Keepalived managed by Roxy‑WI.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. No EPSS score is available and the vulnerability is currently not listed in the CISA KEV catalog, but the lack of input validation makes it exploitable from any host that can reach the vulnerable web interface. The attacker would need network connectivity to the Roxy‑WI instance; otherwise the flaw cannot be triggered. Because the flaw allows unrestricted access to internal network resources, the potential impact can be significant if the attacker can reach the agent endpoint from a compromised host or from an external source with network access to the Roxy‑WI service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

roxy-wi

affected

Version	Status	Constraints
`<= 8.2.6.4`	affected	—

No data.

Vendor Product Confidence Versions

Roxy-wi

100%

Version	Status	Scheme	Platform
`[0,8.2.6.4]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Roxy‑WI to the latest patched release as soon as it becomes available.
If an upgrade is not possible, restrict access to the /smon/agent endpoints by firewall rules or reverse‑proxy configuration and block or deny traffic to the private, loopback, and cloud metadata IP ranges.
Add validation to the server_ip parameter in the web application to reject private, RFC1918, loopback, and known metadata IPs before the request is forwarded to the agent.

Generated by OpenCVE AI on June 10, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-2crj-7rqc-x7rq

History

Wed, 10 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Roxy-wi Roxy-wi roxy-wi
Vendors & Products		Roxy-wi Roxy-wi roxy-wi

Wed, 10 Jun 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes takes the URL path component verbatim into requests.get(f'http://{server_ip}:{agent_port}/...'). The path component is constrained only by Flask's default URL converter, which permits any value (including IPv4 literals like 169.254.169.254, RFC1918 ranges, and 127.0.0.1). At time of publication, there are no publicly available patches.
Title		Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs
Weaknesses		CWE-918
References		https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-2crj-7rqc-x7rq
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}`

Subscriptions

Roxy-wi Roxy-wi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T14:03:03.387Z

Updated: 2026-06-10T16:31:27.460Z

Reserved: 2026-05-12T19:00:14.599Z

Link: CVE-2026-45561

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T15:16:37.023

Modified: 2026-06-10T15:16:37.023

Link: CVE-2026-45561

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses

CWE-918

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object