PatchSiren cyber security CVE debrief
CVE-2026-45550 roxy-wi CVE debrief
CVE-2026-45550 is a critical vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability allows any authenticated user to silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. This is due to a flawed authorization mechanism in the PUT /smon/check endpoint, which fails to validate that the target check_id belongs to the caller. Specifically, the roxywi_common.check_user_group_for_flask() function only checks if the caller has some group, not that the target check_id is within that group. The downstream SQL update functions (update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns) execute with a WHERE smon_id = ? filter, but without a user_group filter. The DELETE path, however, is correctly filtered. At the time of publication, there are no publicly available patches.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Roxy-WI, especially those with multi-tenant environments, should be aware of this vulnerability and take immediate action to mitigate the risk.
Technical summary
The vulnerability has a CVSS score of 9.1 and is classified as CRITICAL. It affects Roxy-WI versions 8.2.6.4 and prior. The CWE-639, CWE-862, and CWE-863 weaknesses are associated with this vulnerability.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates as soon as they become available.
- Restrict access to the PUT /smon/check endpoint to authorized users only.
- Implement additional authorization mechanisms to validate that the target check_id belongs to the caller.
Evidence notes
The vulnerability was reported by an unknown source and is tracked by CVE-2026-45550. The NVD detail can be found at [nvd](resourceLinkAnnotations.nvd). The CVE record is available at [cve-org](resourceLinkAnnotations.cve-org).
Official resources
-
CVE-2026-45550 CVE record
CVE.org
-
CVE-2026-45550 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45550 was published on 2026-06-10T15:16:36.160Z and modified on 2026-06-10T19:37:41.437Z.