Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.
Published: 2026-06-10
Score: 8.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived, contains a flaw that allows authentication bypass through the use of the substring "api" in URLs and an unauthenticated /api/gpt endpoint. The vulnerability is a classic case of authentication failure (CWE-287) compounded by the missing authentication check (CWE-306) and an incorrect comparison logic (CWE-697). The result is that an attacker can gain the same level of access as a legitimate logged‑in user without providing credentials, effectively turning the management interface into an open door for further malicious activity.

Affected Systems

The affected product is Roxy-WI version 8.2.6.4 and earlier. All installations of those releases that expose the web management console are susceptible until a patch is applied or access control is tightened.

Risk and Exploitability

The CVSS score of 8.3 classifies this issue as High, indicating that exploitation could allow end users to perform privileged operations and potentially compromise the underlying servers. While the EPSS score is not available, the nature of the flaw suggests that a remote attacker could craft a URL containing the substring "api" or target the public /api/gpt endpoint and bypass authentication. The vulnerability is not currently listed in CISA KEV, but its high severity and lack of a publicly available fix warrant careful monitoring of exploit activity and prompt mitigation.

Generated by OpenCVE AI on June 10, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an official patch or update as soon as it becomes available.
  • Disable or block the /api/gpt and any other API endpoints that do not require authentication, for example by configuring the web server to reject those paths.
  • Restrict network access to the Roxy‑WI interface, allowing connections only from trusted management hosts and blocking external exposure.
  • Continuously monitor access logs for unauthorized requests to the management interface and promptly investigate any suspicious activity.

Generated by OpenCVE AI on June 10, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Wed, 10 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.
Title Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt
Weaknesses CWE-287
CWE-306
CWE-697
References
Metrics cvssV3_1

{'score': 8.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-10T16:31:15.237Z

Reserved: 2026-05-12T19:00:14.600Z

Link: CVE-2026-45567

cve-icon Vulnrichment

Updated: 2026-06-10T16:29:11.345Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T16:17:07.957

Modified: 2026-06-10T19:37:41.437

Link: CVE-2026-45567

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T17:30:36Z

Weaknesses