CVE-2026-45550
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the PUT /smon/check functionality does not verify if the check_id belongs to the user's group, allowing unauthorized modifications to other users' monitoring settings.
Risk Assessment
Any authenticated user can alter the HTTP, TCP, Ping, and DNS monitoring settings of other users, leading to potential security breaches and data loss.
Recommendation
It is recommended to update to the latest version of Roxy-WI when patches become available and to implement additional filters in the update functions to restrict data access to the appropriate user groups.
Original NVD description (English source)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.

