CVE-2026-45563 - Vulnerability Details

- Roxy-WI: IDOR — any authenticated user can read another user's full action history

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

Published: 2026-06-10

Score: 4.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an IDOR that allows any authenticated user—including users in unrelated groups—to read the full action history of any other user. By re‑using the server_ip path parameter as a user‑id when the service is "user", the application performs no authorization check. Attackers can therefore obtain detailed audit data such as which server IPs a victim accessed, which configurations were deployed, and which services were restarted, providing insight into operational details.

Affected Systems

All releases of Roxy‑WI up to and including 8.2.6.4, which provide a web interface for managing HAProxy, Nginx, Apache and Keepalived servers, are affected.

Risk and Exploitability

The vulnerability has a CVSS score of 4.3, indicating moderate severity. No EPSS score is available and the issue is not listed in the CISA KEV catalog, suggesting limited or no widespread exploitation yet. Attackers must first authenticate to Roxy‑WI and call the vulnerable GET /history/<service>/<server_ip> endpoint. Without a required authorization check, they can supply another user’s in the URL and obtain that user’s full audit trail. Successful exploitation compromises confidentiality, revealing sensitive deployment and configuration history that could aid future attacks.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

roxy-wi

affected

Version	Status	Constraints
`<= 8.2.6.4`	affected	—

No data.

Vendor Product Confidence Versions

Roxy-wi

100%

Version	Status	Scheme	Platform
`[0,8.2.6.4]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Configure the web server or firewall to block or rate‑limit the GET /history/<service>/<server_ip> endpoint for unauthenticated or non‑privileged users
Add custom authorization checks on the server side to ensure that only the owner of the requested history can access it, or deny all users not belonging to a privileged group
Plan an upgrade to a future Roxy‑WI release that addresses the IDOR once the vendor publishes a patch or an official fix

Generated by OpenCVE AI on June 10, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9

History

Wed, 10 Jun 2026 15:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Roxy-wi Roxy-wi roxy-wi
Vendors & Products		Roxy-wi Roxy-wi roxy-wi

Wed, 10 Jun 2026 15:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 10 Jun 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.
Title		Roxy-WI: IDOR — any authenticated user can read another user's full action history
Weaknesses		CWE-639 CWE-863
References		https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Roxy-wi Roxy-wi

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T14:03:43.300Z

Updated: 2026-06-10T14:55:23.514Z

Reserved: 2026-05-12T19:00:14.599Z

Link: CVE-2026-45563

Vulnrichment

Updated: 2026-06-10T14:55:12.561Z

NVD

Status : Received

Published: 2026-06-10T15:16:37.167

Modified: 2026-06-10T16:17:06.767

Link: CVE-2026-45563

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T15:30:15Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object