CVE-2026-45563
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. In versions 8.2.6.4 and prior, the server_ip path parameter in GET /history/<service>/<server_ip> is reused as a user-id when service == 'user', with no authorization check.
Risk Assessment
Any authenticated user, even a guest in an unrelated group, can view other users' full action audit trails, leading to the exposure of sensitive information about server activities.
Recommendation
It is recommended to upgrade to the latest version of Roxy-WI as soon as patches become available. Additionally, consider restricting access to the interface for unauthorized users.
Original NVD description (English source)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

