PatchSiren cyber security CVE debrief
CVE-2026-45549 roxy-wi CVE debrief
CVE-2026-45549 is a high-severity vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability affects versions 8.2.6.4 and prior. Specifically, the `agent_action` function in `app/routes/smon/agent_routes.py` (lines 166-179) lacks role checks and group ownership verification on the `server_ip` form field. Consequently, any authenticated user, including those with role 4 (guest), can initiate, halt, or restart the `roxy-wi-smon-agent` systemd unit on any server they specify. Since Roxy-WI executes systemd actions using its own SSH credentials with passwordless sudo, these actions run as root on the target server.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Roxy-WI, especially those with versions 8.2.6.4 or earlier, should be aware of this vulnerability. Given its high CVSS score of 8.5, immediate attention is recommended.
Technical summary
The vulnerability is characterized by the following details: CVSS Score: 8.5, CVSS Severity: HIGH, Published Date: 2026-06-10T15:16:35.997Z, Modified Date: 2026-06-10T19:37:41.437Z. The Common Vulnerabilities and Exposures (CVE) vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H. Weaknesses associated with this vulnerability include CWE-862 and CWE-863.
Defensive priority
High
Recommended defensive actions
- Upgrade to a patched version of Roxy-WI as soon as available.
- Restrict access to the Roxy-WI interface to trusted users only.
- Monitor Roxy-WI server logs for suspicious activities.
Evidence notes
Evidence for this CVE comes from the National Vulnerability Database (NVD) and a security advisory from GitHub (GHSA-c92j-h72m-ff4j).
Official resources
-
CVE-2026-45549 CVE record
CVE.org
-
CVE-2026-45549 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45549 was published on 2026-06-10T15:16:35.997Z and modified on 2026-06-10T19:37:41.437Z.