CRITICAL🇵🇱 Wersja polska

CVE-2026-45552

CVSS 9.9v3.1pub. 2026-06-10

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user — including the default guest role 4 — can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches.

🤖 AI Analysis
How it works

The installation blueprint requires only JWT authentication (decorator @jwt_required()), but individual endpoints — install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status — are not protected by the page_for_admin decorator nor do they call functions checking server membership in the user's group (is_user_has_access_to_its_group, check_is_server_in_group). Only the GET endpoint of the main installation page (install_monitoring) has proper access control at level 2. An attacker, being a logged-in user, can specify any server from the Roxy-WI database — regardless of tenant membership — and initiate installation or reconfiguration on it via Ansible playbooks. Playbooks are executed with SSH credentials assigned to the given server, which the other tenant's owner configured with sudo privileges for management purposes.

Impact

An attacker can install and reconfigure metrics exporters, WAF modules, and GeoIP databases on servers belonging to other tenants, using stored SSH credentials with sudo privileges, which in practice enables complete takeover of the victim's infrastructure (privilege escalation, potential RCE in the context of managed servers).

Mitigation & patch

At the time of vulnerability publication, no public patches were available. You should monitor the project repository and published security advisories (GHSA-v3f8-g2v8-jq5h) and apply patches immediately upon release. In the meantime, it is recommended to restrict access to the Roxy-WI interface only to trusted users, disable guest accounts, and implement access control at the network level (firewall, VPN).

Who is affected

Roxy-WI version 8.2.6.4 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References